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XrML is becoming a popular language in industry for writing software licenses. The semantics 
for XrML is implicitly given by an algorithm that determines if a permission follows from a set of 
licenses. We focus on a fragment of the language and use it to highlight some problematic aspects 
of the algorithm. We then correct the problems, introduce formal semantics, and show that our 
semantics captures the (corrected) algorithm. Next, we consider the complexity of determining if a 
permission is implied by a set of XrML licenses. We prove that the general problem is undccidablc, 
but it is polynomial-time computable for an expressive fragment of the language. We extend XrML 
to capture a wider range of licenses by adding negation to the language. Finally, we discuss the 
key differences between XrML and MPEG-21, an international standard based on XrML. 

Categories and Subject Descriptors: H.2.7 [Database Management]: Database Administra- 
tion — Security; integrity; protection; K.4.4 [Computers and Society]: Electronic Commerce — 
Security 

General Terms: Security, Languages 
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1. INTRODUCTION 

The extensible rights Markup Language (XrML) is becoming an increasingly popu- 
lar language in which to write software licenses. When first released in 2000, XrML 
received the support of many technology providers, content owners, distributors, 
and retailers, including Adobe Systems, Hewlett-Packard Laboratories, Microsoft, 
Xerox Corp., Barnesandnoble.com, and Time Warner Trade Publishing. In fact, 
Microsoft, OverDrive, and DMDsecure have publicly announced their agreement to 
build products and/or services that are XrML compliant. Currently, XrML is be- 
ing used by international standard committees as the basis for application-specific 
languages that are designed for use across entire industries. For example, the Mov- 
ing Picture Experts Group (MPEG) has selected XrML as the foundation for their 
MPEG-21 Rights Expression Language, henceforth referred to as MPEG-21 (see 
http://www.xrml.org). It is clear that a number of industries are moving towards a 
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standard language for writing licenses and that many of these standard languages 
are likely to be based on XrML. To understand the new standards, we need to 
understand XrML. 

XrML does not have formal semantics. Instead, the XrML specification [Con- 
tentGuard 2001] presents the semantics in two ways. First is an English description 
of the language. Second is an English description of an algorithm that determines 
if a permission follows from a set of licenses. Unfortunately, the two versions of 
the semantics do not agree. To make matters worse, the algorithm has unintuitive 
consequences that do not seem to reflect the language developers' intent. 

To address these issues, we provide formal semantics for a fragment of XrML. We 
focus on a fragment because the entire language is somewhat unwieldy. An XrML 
license says that an agent grants a permission if certain conditions hold. Our 
fragment includes only two types of permissions and only two types of conditions. 
We give our fragment formal semantics by defining a translation from licenses in 
the fragment to formulas in first-order logic extended with a validity operator. We 
argue that the translation preserves the meaning of the XrML statements by proving 
that the algorithm included in the XrML document, slightly modified to correct 
the unintuitive behavior, matches our semantics. More precisely, the algorithm 
says that a permission follows from a set of licenses if and only if the translated 
permission is a logical consequence of the translated licenses. We then consider the 
complexity of determining if a permission is implied by a set of licenses. We show 
that the general problem is undecidable, even for our fragment. The problem is 
decidable in polynomial time if we restrict the fragment slightly. 

A shortcoming of XrML is that it does not support negation. For example, 
in XrML, we cannot write "customers may not edit the software" . The XrML 
developers deal with this limitation, to some extent, by assuming that an action 
is forbidden unless it is explicitly permitted. As a result, a license writer does 
not need to say that an action is forbidden, because the prohibition is already 
implied. This approach might be acceptable in various instances, but it is difficult 
to believe that most license writers really want to forbid every action that they do 
not explicitly permit. So, the approach does not capture the license writer's actual 
intent. Moreover, it limits the class of licenses that can be expressed, because it 
removes the distinction between forbidden and unregulated actions. For example, 
in XrML, we cannot say "a hospital may petition for an exemption if it permits an 
action that the government forbids" . Similarly, a course instructor cannot say "if 
the university does not object, then Alice is permitted to audit the class". In this 
paper, we extend XrML to include such statements and consider the effect of the 
addition on the language's tractability. 

MPEG-21 is an international standard based on XrML. When we first decided 
to give XrML formal semantics, the MPEG committee had released a beta version 
of its language, which was XrML with minor revisions, and was preparing the final 
release. We chose to give semantics to the beta language first (before analyzing the 
official XrML specification, as is done here), because we hoped that any problems 
we found would be corrected in the final version of MPEG-21. This is, in fact, 
what occured. After discussing our results with Thomas DeMartini and Xin Wang 
of the MPEG Standards Committee, the committee released their ISO standard 

ACM Journal Name, Vol. V, No. N, 20YY. 



A Formal Foundation for XrML • 3 



[MPEG 2004]; the shortcomings that we identified are addressed in the standard. 
We conjecture that all of our results for XrML hold with minor changes for MPEG- 
21, although we have not verified the details. 

The rest of the paper is organized as follows. In the next section we present our 
fragment of XrML. In Section 3 we review XrML's algorithm for answering queries. 
After considering some examples in which the algorithm's behavior is unintuitive 
and almost certainly unintended, we propose corrections that we believe captures 
the designers' intent. Formal semantics for our fragment are given in Section 4, 
and the revised algorithm is shown to be sound and complete with respect to the 
semantics. In Section 5 we show that the problem of determining if a permission 
follows from a set of licenses is undecidable. We also discuss a fragment of XrML 
that is both tractable and relatively expressive. In Section 6 we outline how our 
results can be extended to a substantial fragment of XrML. Negation is added to 
XrML in Section 7. The analysis of this paper had an impact on practice. MPEG- 
21 REL, an international standard based on XrML, incorporates the developers' 
response to our concerns about XrML. We describe MPEG-21 REL, and how it 
deals with our concerns, in Section 8. We conclude in Section 9. All of the proofs 
are in the appendix. 

2. SYNTAX 

XrML is an XML-based language; it follows XML-conventions. Rather than present 
that syntax, we use an alternative syntax that is more concise and, we believe, more 
intuitive. In this section, we introduce our syntax for a fragment of XrML (the rest 
of the language is discussed in Section 6) and describe the key differences between 
the syntax used in the XrML specification and that used here. 

At the heart of XrML is the notion of a license. A license is a (principal, grant) 
pair, where the license (p,g) means p issues (i.e., says) g. For example, the license 
(Alice, Bob is smart) means "Alice says 'Bob is smart'". 

A grant has the form Vxi ... Va;„ (condition — > conclusion), which intuitively 
means that the condition implies the conclusion under all appropriate substitu- 
tions. Conditions and conclusions are defined as follows. 

— A condition has the form d\ A . . . A d n , where each di is either true or Said(p, e) 
for some principal p and conclusion e. Roughly speaking, the condition true 
always holds and the condition Said(p, e) holds if p issues a grant that says e 
holds if a condition d holds, and d does, in fact, hold. 

— A conclusion has either the form Perm(p, r, s) or the form Pr(p), where Pr is 
a property, p is a principal, r is a right (i.e., an action), and s is a resource. 
The conclusion Perm(p, r, s) means p may exercise r over s. For example, 
Perm(_So&, edit, budget report) means Bob may edit the budget report. The 
conclusion Pr(p) means p has the property Pr. For example, the conclusion 
Attractive(_Bo&) means Bob is attractive. 

We abbreviate the grant Vxi . . . Vx„(true — > e) as Vxi . . . Vx„e. Also, we try to con- 
sistently use d, possibly subscripted, to denote a generic condition and e, possibly 
subscripted, to denote a generic conclusion. 

Consider the following example. Suppose that Alice issues the grant "Bob 
is smart" and Amy issues the grant "if Alice says that Bob is smart, then 
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he is attractive". We can write the first license in our syntax as (Alice, gi), 
where g\ = Smart(_Bo&) (recall that this is an abbreviation for true — > 
Smart(_Bo&)), and we can write the second as (Amy,g<i), where 52 = 
Said(yl/ice, Smart(_So&)) — > Attractive(_Bo6). Because (Alice, g\) is in the set 
of issued licenses, Said(^4/ice, Smart(_Bo6)) holds. It follows from this fact and the 
license (Amy,g<i) that S&\d(Amy, Attractive(_Bo&)) holds as well. 

The sets of principals, properties, rights, and resources depend on the particular 
application. For example, a multimedia application might have a principal for each 
employee and each customer; properties such as "hearing impaired" and "manager" ; 
rights such as "edit" and "download"; and a resource for each object such as a 
movie. We assume the application gives us a finite set primitivePrin of principals 
and a finite set primitiveProp of properties. We then define the components in our 
language as follows. 

— The set P of principals is the result of closing primitivePrin under union. (Here 
and elsewhere we identify a principal p € primitivePrin with the singleton {p} 
and write {pi, . . . ,p n } rather than {pi} U . . . U {p n }-) The interpretation of a 
principal {pi, ■ ■ ■ ,p n } depends on context; that is, the interpretation depends 
on whether the principal appears as the first argument in a Said condition, in 
a conclusion, or in a license. We discuss this later in the paper (primarily in 
Section 5). 

— The set of properties is primitiveProp. We assume that every property in primitiveProp 
takes a single argument and that argument is of sort Principal. For example, 
primitiveProp can include the property Employee, where Employee(x) means 
principal x is an employee, but it cannot include the property MotherOf , where 
MotherOf (x, y) means principal x is the mother of principal y, nor can it in- 
clude the property Vehicle, where Vehicle(a;) means resource a; is a vehicle 
(e.g., a motorcycle, car, or truck). The results in this paper continue to hold 
if we extend the language to include properties that take multiple arguments 
of various sorts (i.e., principals, rights, and resources). It is also easy to show 
that closing primitiveProp under conjunction adds no expressive power to the 
language. Closing under negation does add expressive power; we return to this 
issue in Section 7. 

— The only right in our language is issue and the only resources are grants. Intu- 
itively, if a principal p has the right to issue a grant g, and p does issue g, then 
g is a true statement. Including additional rights and resources in our language 
does not significantly affect the discussion. 

We formally define the syntax according to the following grammar. 



license : 


:= (prin, grant) 


grant : 


:= Vvar . . . V 'var (cond — > cone) 


var : 


. — Xp | Xy 


cond : 


:= true Said(prm, cone) cond A cond 


cone : 


:= Pr(prin) Perm(prin, right, rsrc) 


prin : 


:= {p} {x p } prinUprin 


right : 


:= issue 


rsrc : 


:= grant x r , 
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where Pr is an clement of primitiveProp, p is an element of primitivePrin, x p is an 
element of prinVar, which is the set of variables ranging over primitive principles, 
and x r is an element of rsrcVar, which is the set of variables ranging over resources. 
For the remainder of this paper we assume that the first argument in a license is 
a singleton. Because the XrML document treats the license ({pi, ■ ■ ■ ,p n },g) as an 
abbreviation for the set of licenses {(p, g) \ p e . . . ,p n }}, it is easy to modify 
our discussion to support all of the licenses included in the grammar. 

As mentioned at the beginning of this section, the grammar presented here is 
not identical to that described in the XrML document. Certain components of 
XrML are omitted from our language. These are discussed in Section 6. The XrML 
components that are included are represented using a syntax that we believe is 
more intuitive. The main differences between the syntax of our language and the 
syntax of XrML are described below. 

— Instead of assuming that the application provides a set of primitive principals, 
XrML assumes that the application provides a set K of cryptographic keys; 
the set of primitive principals is {KeyHolder(fc) | k E K}. We could take 
primitivePrin to be this set; however, our more general approach leads to a 
simpler discussion. Moreover, our results do not change if we restrict primitive 
principals to those of the form KeyHolder(fc). 

- XrML does not have conclusions of the form Pr(p). To capture properties, XrML 
uses a right called PossessProperty and considers the properties given by the 
application to be resources. The conclusion Pr(p) in our grammar corresponds to 
the conclusion Perm(p, PossessProperty, Pr) in XrML. We have two types of 
conclusions because we believe the grammar should help distinguish the concep- 
tually different notions of permissions and properties, rather than confounding 
them. 

— Rather than writing AllPrincipals(pi, . . . ,p„), AllConditions(ci, . . . , c„), and 
AllConditionsQ, we use the more standard notations {pi, . . . ,p n }, c\A...Ac n , 
and true, respectively. Rather than writing PrerequisiteRight(p, e), we use 
the shorter and, we believe, more appropriate notation Said(p, e). 

— As discussed previously, XrML abbreviates a set of licenses {(pi,gj) | i < n,j < 
m} as the single license ({pi, . . . ,p n }, {<7i, ■ ■ • ,5m})- For ease of exposition, we 
do not do this. 

3. XRML'S AUTHORIZATION ALGORITHM 

The XrML document includes a procedure that we call Query to determine if a 
conclusion follows from a set of licenses (and some additional input that is discussed 
below). In this section we present and analyze the parts of the algorithm that 
pertain to our fragment. 

Before describing the algorithm, we note that some aspects of Query are inef- 
ficient. This is acknowledged in the XrML document, which explains that Query 
was designed with clarity as the primary goal; it is the responsibility of the language 
implcmcntors to create efficient algorithms with the same input/output behavior 
as Query. (In Section 5, we show that it is highly unlikely that such an efficient 
algorithm exists.) 
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3.1 A Description of Query 

The input to Query is a closed conclusion e (i.e., a conclusion with no free vari- 
ables), a set L of licenses (p,g) such that p is variable-free, and a set R of grants; 
Query returns true if e is implied by L and R, and returns false otherwise. To 
explain the intuition behind L and R, we first note that the procedure treats a pre- 
defined set of principals as trusted. If a trusted principal issues the grant g, then g 
is in R and it is assumed to be true. If the license (p, g) is in L, then p issued g (i.e., 
p says g) and p is not an implicitly trusted principal. To clarify the inferences that 
are drawn from R and L, suppose that the grant g is QueenOfSiam(^4iice), which 
means Alice is Queen of Siam, and the grant g' is Perm(Alice, issue, g), which 
means Alice may issue g. If g £ R, then we assume that Alice really is queen. If 
(Alice, g) is in L, then Alice says that she is the queen, but we cannot conclude that 
she is royalty from this statement alone. If (Alice, g) is in L and g' is in R, then we 
assume that Alice has the authority to declare herself queen, because g' £ R; we 
assume that she exercises that authority, because (Alice, g) £ L; and we conclude 
that Alice is queen, because this follows from the two assumptions. 

Query begins by calling the Auth algorithm. Auth takes e, L, and R as input; 
it returns a set D of closed conditions (i.e., conditions with no free variables). 
Roughly speaking, a closed condition d is in D if d, L, and R together imply e. 
To determine if a condition in D holds, Query relics on the Holds algorithm. 
The input to Holds is a closed condition d and a set L of licenses; Holds(<i, L) 
returns true if the licenses in L imply d, and returns false otherwise. If Holds(d, L) 
returns true for some d in D, then Query returns true, indicating that L implies 
e. Query is summarized in Figure 1. 



Query(e, L, R): 
D := Auth(e, L,R) 

if Holds(d, L) = true for a condition d £ D 
then return true 
else return false 



Fig. 1. The Query Algorithm 

We now discuss Auth and Holds in some detail. To define Auth, we first 
consider the case where L = 0. Define a closed substitution to be a mapping from 
variables to closed expressions of the appropriate sort. Given a closed substitution 
a and an expression t, let ta be the expression that arises after all free variables 
x in t are replaced by a(x). Roughly speaking, Auth(e, 0,-R) returns the set D of 
closed conditions such that each condition in D, in conjunction with the grants in 
R, implies e. That is, d £ D iff there is a grant g = \/x\ . . . Vx n (d g — > e g ) in R and a 
closed substitution a such that d = d g a and e g implies e. Auth determines whether 
e g implies e in a somewhat nonstandard way. In particular, it makes the subset 
assumption, which says that any property or permission attributed to a principal 
p is attributed to every principal that includes p. In other words, if p C p' , then 
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Pr(p) implies Pr(p') and Perm(p, r, s) implies Perm(p', r, s). Thus, 

Auth(Pr(p), 0, R) = {d | for some grant g = Vx! . . . Vx n (d g — > Pr(p g )) e i? and closed 
substitution a,d g a — d and p g er Cp} and 

Auth(Perm(p, r, s), 0, R) = {d | for some grant Vrri . . .Vx n (d g — > Perm(p g , r 9 , s 9 )) e _R 

and closed substitution cr, d g a = d,p g a C p, r 9 cr = r, 
and s g er = s}. 

Suppose that L ^ 0. Then we reduce to the previous case by taking 
Auth(e, L, R) = Auth(e, 0, R'), where, intuitively, R' is the set of legiti- 
mate grants; that is, R' consists of the grants in R and the grants issued 
by someone who has the authority to do so. It seems reasonable to call 
Query (Perm(p, issue, g), L, R) to determine if a principal p has the authority 
to issue a grant g. However, if Auth calls Query(Perm(p, issue, g), L, R) to con- 
struct R', then the algorithm will not terminate, because Query calls Auth, lead- 
ing to an infinite call tree. So, instead of calling Query(Perm(p, issue, g), L, R), 
the XrML algorithm determines if p is permitted to issue g by checking if 
Holds(d, L) = true for some d in the set Auth(Perm(p, issue, g),L — {(p, g)}, R). 
We discuss the consequences of this solution in Section 3.2. In summary, 

R' = R U R", where 

R" = {g | for some licence(p, g) € L and condition d, 

d e Auth(Perm(p, issue, 5), L — {(p, g)},R) andHolds(d, L) = true} 

Pseudocode for Auth is given in Figure 2. 

We define Holds(d, L) by induction on the structure of d. If d is true, then 
Holds(<i, L) = true. If d = Said(p, e), then Holds(rf, L) = true iff p issues 
a grant Vxi . . . \fx n (d g — > e g ) such that, for some substitution a, e g a — e and 
Holds(c? s (T, L) = true. In this context, a principal {p\, . . . ,p n } issues a grant g 
if pi issues g for some i = 1, . . . , n. If d = d\ A . . . A d n , where each di is true 
or a Said condition, then Holds(rf, L) = f\ i=1 n Holds(dj, L). Pseudocode for 
Holds is given in Figure 3. 

Example 3.1. In Section 2, we argued informally that Amy says Bob is attrac- 
tive if the set of licenses is L — {{Alice, gi), (Amy,g2)}, where g\ — Smart(_So6) 
and 52 = Said(^4/ice, Smart(_Bo6)) — > Attractive(_So6). The formal algorithm 
gives the same conclusion. Specifically, Holds(Said(^4m?/, Attractive(_Bo6)), L) 
sets RAmy = {.92} and calls Holds(Said( Alice, Smart(Bob)), L). Dur- 
ing this call Raucc is set to {g{\ and Holds(true, L) is called. Because 
Holds(true, L) = true, Holds(Said( Alice, Smart(Bob)), L) = true and, thus, 
Holds(Said(^m?/, Attractive(_Bo&)), L) = true. 

Suppose that a trusted principal says that Amy has the authority to is- 
sue (72 (i-G-j if Amy says <? 2 , then g 2 holds). Then we can conclude 
that Bob really is attractive, because Query(Attractive(_Bo6), L, R) = true, 
where R = {Perm(Amy, issue, 32)}- Specifically, Query begins by call- 
ing Auth(Attractive(_Bo6), L, R). Auth(Attractive(_Bo6), L, R), in turn, 
calls Auth(Attractive(_So6), 0, R'), where R' = {c/ 2 , Perm(Amy, issue, 32)}- 
Auth(Attractive(So6),0,i?') = {Said(^/ice, Smart(5o6))}. So, Bob is attrac- 
tive if the condition Said(^4/ice, Smart(_Bo&)) holds. To determine if the condition 
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Auth(e,L,i?): 

D := 
if L = 
then 

% Find D, the conditions under which R implies e 
if e = Pr(p) 

for each grant Vxi . . .Vx n (d g — > Pr(p 9 )) e i? 

D := Z) U {c? | rf s (T = d and p 9 cr C p, for some closed substitution a} 
if e = Perm(p, r, s) 

for each grant Vzi . . . \/x n {d g — > Perm(p ff , r g ,s g )) G i? 

D := D U {d | rf g (T = d,p g <j C p, r 9 cr = r, and s s cr = s, for some closed substitution a} 

else 

% Find R! 
R' := R 

for each license (p 7 g) e L 
V :=L-{(p,g)} 

D' := Auth(Perm(p, issue, g),L', R) 

if Holds (d, L) = true for a condition d e D' 

then i?' := i?' U {g} 
% Find Z), the conditions under which R' implies e 
D := Auth(e, 0, R') 
return D 



Fig. 2. The Auth Algorithm 
Holds(rf, L)-r ~ ~ ~ 

if d = true 
then return true 

if d — Said(p, e) 
then 

R p = {g I for some principal p', (p' , g) € L and p' e p} 
D := {d' I for some grant \/x\ . . .\/x n (d g — ► e s ) € i? p and 

closed substitution cr, d 9 cr = d' and e 9 <7 = e} 
if Holds (d', L) — true for a condition d' £ D 
then return true 
else return false 

if d = d\ A . . . A d n , where each c£, is true or a Said condition 
then return /\»=i n Holds(dj, L) 

Fig. 3. The Holds Algorithm 
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holds, Query calls Holds(Said(^/ice, Smart(_Bo6)), L). We have already shown 
that Holds(Said(^/ice, Smart(_Bo&)), L) = true; we evaluated this call during our 
analysis of Holds(Said(^m?/, Attractive(_Bo6)), L). So Bob is indeed attractive. 
□ 

Query as described here and in the XrML specification is somewhat ambiguous. 
For example, the specification does not say in which order the conditions in D should 
be tested to see if at least one condition in D holds. As a result, there are a number 
of possible executions of a call Query(e, L, R), depending on the implementation of 
Query. It is easy to see that, for a particular input, every execution that terminates 
returns the same output. However, as we show in Example 3.4, whether Query 
terminates can depend on how it is implemented. A similar issue arises with Auth 
and Holds. We talk about an execution of Query, Auth, or Holds only if the 
choice of execution affects whether the algorithm terminates. For example, we write 
Query(e, L, R) = true if every execution of Query(e, L, R) returns true. 

3.2 An Analysis of Query 

In this section we present five examples in which Query gives unexpected results. 
Example 3.2 reveals a mismatch between Query and the informal language de- 
scription; the discrepancy exists because Auth makes the subset assumption and 
the informal language description does not. Example 3.3 demonstrates that a li- 
cense (p, g) should not be removed from the set of licenses when determining if p is 
permitted to issue g. Examples 3.4, 3.5, and 3.6, show that a reasonable implemen- 
tation of Query does not terminate on all inputs, for three quite different reasons: 
Example 3.4 shows that on some inputs Holds makes infinitely many identical 
calls, Example 3.5 shows that on some inputs the call tree for Query includes an 
infinite path of distinct nodes; and Example 3.6 shows that on some inputs the call 
tree for Query includes a node with infinitely many distinct children. 

Example 3.2. Suppose that Alice is quietly walking beside her two giggling 
daughters, Betty and Bonnie. Are the three of them a quiet group? Intuitively, 
they are not, because Betty and Bonnie arc giggling. According to Query, how- 
ever, the answer is yes. Since Alice is quiet and Auth makes the subset assump- 
tion, Query concludes that the principal {Alice, Betty, Bonnie} is quiet; that is, 
Query(Quiet({^4Zzce, Betty, Bonnie}), 0, {Quiet(^4/ice)}) = true. □ 

Example 3.3. Suppose that Alice says that she is smart, and if Alice says that 
she is smart, then she is permitted to say that she is smart. Is Alice smart? 
Intuitively, she is, because Alice is permitted to say that she is smart and she 
does so. But consider Query (Smart( Alice), L,R), where L — {(Alice, g)}, R = 
{Said(.4/ice, Smart (.A/ice)) — > Perm(Alice, issue, g)}, and g = Smart (Alice). 
Query (Smart( A/ice), L, i?) begins by calling Auth(Smart( Alice), L, R). Auth 
checks whether or not Alice is permitted to issue g. It determines that Alice may 
not issue g, because the permission does not follow from R and L — {(Alice, g)}. 
Since Alice is not permitted to issue g, Auth sets R' = R and returns 0. Because 
Auth returns 0, Query returns false. □ 

Example 3.4. Suppose that Alice issues the grant "if I say Bob is smart, then he 
is" and Alice is permitted to issue this grant. Can we conclude that Bob is smart? 
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To answer the question using Query, let e = Smart(_So&), g = Said(^/ice, e) =^> e, 
L = {(Alice, g)}, and R — {Perm( Alice , issue , g)} . We are interested in the 
output of Query(e, L, R). Query(e, L, R) begins by calling Auth(e, L, R), which 
returns the set D — {Said(^4/ice, e)}. Query then calls Holds(Said(yl/ice, e), L), 
which sets Raucc = {9} an d calls Holds(Said( Alice, e), L) again. It is easy to see 
that an infinite number of calls to Holds(S&id( Alice, e), L) are made during the 
execution of Query(e, L, R) and thus the execution does not terminate. 

It is tempting to conclude that a set L of licenses and a set R of grants imply 
a conclusion e only if Query(e, L, R) terminates and returns true. Unfortunately, 
whether Query(e, L, R) terminates can depend on the order in which the calls 
to Holds arc made. To see why, consider a slight modification of the previous 
example where we add the grant {Smart(_So&)} to R. Intuitively, this means that 
an implicitly trusted principal says that Bob is smart. It now seems reasonable 
to expect that every execution of Query(e, L, R') returns true, where R' = R\J 
{e}, and e, L, and R are as defined in the original example. Surely the issued 
grants imply that Bob is smart, since a grant issued by a trusted principal says 
just that! However, only some of the executions terminate. Every execution of 
Query begins by calling Auth(e, L, R'), and every execution of Auth(e, L, R') 
returns {Said(^4Zice, e), true}. If an execution of Query next calls Holds(true, L), 
then that execution of Query returns true. On the other hand, if the execution 
calls Holds(Said(^4/ice, e), L) and then waits for the call to return before calling 
Holds(true, L), then the execution does not terminate for the same reason that 
every execution of Query(e, L, R) does not terminate. □ 

Example 3.5. Suppose that Alice says "for all grants g, if I say I 
am allowed to issue the grant Perm(Alice, issue, g), then I am allowed 
to issue g" , and Alice is allowed to issue that statement. Is Alice al- 
lowed to issue the grant Nap (Alice)? To answer this question us- 
ing Query, some abbreviations arc useful. For all grants g, we ab- 
breviate the condition Said(Alice, Perm(Alice, issue, Perm( Alice, issue, g))) 
as d(g) and we abbreviate the grant Perm(Alice, issue, g) as h(g). 
We execute Query (e, L, R), where e = Perm( Alice, issue, Nap(Alice)), 
R = {Perm(Alice, issue, \/x(d(x) Perm(Alice, issue, x)))}, and L = 
{(Alice, Vx(d(x) => Perm(Alice, issue, x)))}. Query(e, L, R) begins by 
calling Auth(e, L, R), which returns {<i(Nap(Alice))}. Next Query calls 
Holds(d(Nap( Alice) ),L), which calls Holds(d(/i(Nap(Alice))), L), which calls 
Holds(c?(/i(/i(Nap( Alice) ))), L), and so on. It is not hard to see that, for all in- 
tegers n > 0, Holds(<i(/i n (Nap(Alice))), L) is called, where h 1 ^) — h(g) and 
h n (g) = h(h n ^ 1 (g)), for all grants g. It follows that Holds docs not terminate and, 
thus, Query does not terminate. □ 

Example 3.6. Suppose that Alice may say that she is trusted if Bob says 
that Alice may issue some grant (any grant at all). May Alice say that she is 
trusted? To answer this question using Query, we run Query (e, 0, R), where 
e = Perm(Alice, issue, Trusted(Alice)), R = {Vx(d(x) — > e)}, and d(x) = 
Said(Bob, Perm(Alice, issue, x)). Query begins by calling Auth(e, 0, R), which 
returns D = {d(g) \ g is a grant}. We show below that D is an infinite set, so every 
execution of Auth that tries to compute D does not terminate. Even if D is defined 
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without explicitly listing all of its elements, Query must determine if some element 
in D holds. In fact, none do. Thus, any approach to testing if some condition in D 
holds by explicitly testing each condition will not terminate. 

It remains to show that D = {d(g) \ g is a grant} is an infinite set. The key 
observation is that infinitely many distinct grants can be expressed in the language, 
even if the vocabulary consists of only one property Pr and one principal p. To 
see why, define grants g n , n > 1, inductively by taking gi = true — > Pr(p) and 
g n +i — Said(p, Perm(p, issue, g n )) — > Pr(p) for all n > 0. Since each of these 
grants is clearly distinct, D is infinite. □ 

3.3 A Corrected Version of Query 

In this section we revise Query to correct the problems observed in Section 3.2. 
One of the corrections is fairly straightforward. We resolve the mismatch illustrated 
in Example 3.2 by removing the subset assumption from Auth. We note that the 
language is sufficiently expressive to force the subset assumption, if desired, by 
including the following grants in R: 

g = \/xi\/x2 Vx3(Perm(xi, issue, x<i) — ► Perm(xi U £3, issue, £2)) 
gi = \/x 1 \/x 2 (Pr i (x 1 ) — > Pr l (x 1 U ar 2 )),for i = l,...,n, 

where x\, x 2 , and X3 are variables of the appropriate sorts and Pri, . . . , Pr„ are 
the properties in the language. We now consider Examples 3.3, 3.4, 3.5, and 3.6, 
in turn. 

The problem illustrated in Example 3.3 lies in the definition of R' . Re- 
call that we define Auth(e, L, R) = Auth(e, 0, R'). Roughly speaking, R' 
should consist of the set of grants in R together with those issued by some- 
one who has the authority to do so. In other words, R' should be R U {g | 
for some principal p , (p, g) £ L and Query(Perm(p, issue, g), L, R) = true}. 
However, when computing Query(Perm(p, issue, g), L, R), Auth is given the ar- 
gument L — {(p, g)} rather than L. Our solution is to do the "right" thing here, 
and compute Query(Perm(p, issue, g), L, R). But now we have to deal with the 
problem of termination, since a consequence of our change is that Query(e, L, R) 
terminates only if the set L — 0. To ensure termination, we modify Auth so that 
no call is evaluated twice. Specifically, the revised Auth takes a fourth argument E 
that is the set of closed conditions that have been the first argument to a previous 
call; Auth(e, L, R, E) returns if e € E. Because the revised Auth calls Query, 
which calls Auth, we modify Query to take E as its fourth argument. A closed 
condition e is implied by a set L of licenses and a set R of grants if the modified 
Query algorithm returns true on input (e, L, R, 0). Pseudocode for the revised 
version of Query, which we call Query2, and for the revised version of Auth, 
which we call Auth2, are given in Figures 4 and 5, respectively. Query2 refers 
to the algorithm Holds2, which is Holds modified to correct the behavior seen in 
Example 3.4 (discussed below). 

The type of nontermination seen in Example 3.4 occurs because Query tries to 
verify that a condition of the form Said(p, e) holds by checking if Saidfjj, e) holds. 
To correct the problem, we modify Holds to take a third argument S that is the 
set of Said conditions that have been the first argument to a previous call; that is, 
S is the set of Said conditions that are currently being evaluated. If the revised 
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Query2(e, L,R,E): 
D := Auth2(e, L,R,E) 

if Holds2(d, L, 0) = true for a condition d E D 
then return true 
else return false 



Fig. 4. The Query2 Algorithm 

Auth2(e, L,i?, E): 

if e e E 
then return 
else 

E' :=EU{e} 
R! := R 

for each license (p, g) E L 

if Query 2 (Per m(p, issue, g), L, R, E') = true 
then R' := R' U {g} 

D := 

for each grant Vxi . . .\/x n {d g -> e 9 ) £ ff 

Z):=DU{d|(f g (7 = d and e 9 cr = e, for some closed substitution a} 
return D 



Fig. 5. The Auth2 Algorithm 

Holds is called with a first argument d that is in S (which means that the call was 
made when trying to determine whether d holds), then the algorithm returns false, 
thereby halting the cycle. Pseudocode for the revised version of Holds, which we 
call Holds2, is given in Figure 6. 

It is easy to see that the problem illustrated by Example 3.4 does not occur during 
the execution of Holds2. Moreover, the following theorem shows that Holds2 is 
correct in the sense that every execution of Holds and Holds2 have the same 
input /output behavior on the inputs for which both executions terminate and, if 
an execution of Holds terminates for a particular input (d, L), then some execution 
of Holds2(rf, L, 0) terminates as well. 

Proposition 3.7. For all closed conditions d and sets L of licenses, 

(a) every execution of Holds(d, L) that terminates returns the same output, 

(b) every execution of Holds 2(d, L,0) that terminates returns the same output, 

(c) if an execution of Holds{d,L) terminates by returning the truth value t, then 
an execution of Holds2{d,L,%) terminates by returning t. 

Now consider Examples 3.5 and 3.6. To address the type of nontermination seen 
in these examples, we might hope to find an algorithm Query3 that returns the 
same output as Query2 on inputs for which an execution of Query2 terminates 
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Holds2(d,L,5'): 

if d = true 
then return true 

if d = di A . . . A d n 

then return Ai=i,..., n Holds2(d i; L, S) 

if d = Said(p, e) and d £ S 
then return false 

if d = Said(p, e) and d ^ 5 
then 

5' = S U {d} 

-^p — {9 I f° r some principal p',(p' ,g) £ £ and p' S p} 
73 := {d' I for some grant \/x\ . . . Vx n (d g — ► e s ) € i? p and 

closed substitution <r, d g rj = d' and e g cr = e} 
if Holds2(d', L, S') = true for a condition d' £ D 
then return true 
else return false 



Fig. 6. The Holds2 Algorithm 

and returns false on all other inputs. Returning false when no execution of Query2 
terminates gives an intuitively reasonable answer; moreover, this approach is essen- 
tially what is done in MPEG-21 REL (see Section 8 for details). Unfortunately, as 
we show shortly (see Theorem 5.1) this approach will not work in general; there is 
no algorithm Query3 with these properties, since whether Query2 terminates on 
a given input is undecidable. 

Since we cannot "fix" Query2, the best we can do is define some restrictions 
such that, if the restrictions hold for a particular query, then the problems seen in 
Examples 3.5 and 3.6 do not occur for that query. We now describe some conditions 
that are sufficient and that we suspect often hold in practice. 

To describe our approach for avoiding the problem seen in Example 3.5, let g and 
g' be the grants Mx\ . . .Vx„(d 9 — > e g ) and Vxi . . .Vx m (d g i — > e g >) respectively. The 
license (p,g) affects the license (p',g') if and only if there are closed substitutions 
a and a' such that a condition of the form Said(p", e g a) is mentioned in d g i& and 
V Q v" ■ F° r example, consider the license set L = {(Alice, gi), (Amy, 52)}, where 
<7i = Smart(Bob) and g 2 = Va;(Said(Alice, Smart (a;)) ^> Attractive^)). The 
license (Alice, g{) affects the license (Amy, g 2 ) because the conditions are satisfied 
if a is a closed substitution and a' is a closed substitution such that u'{x) = Bob. 
A set L of licenses is hierarchical if there exists a strict partial order ~< on the 
licenses in L such that, for all license £,£' £ L, if £ affects £' then £ -< £' . Continuing 
our example, L is hierarchical because the ordering (Alice, g{) ~< (Amy, g 2 ) satis- 
fies the requirements. Observe that no hierarchical license set includes the license 
(Alice, Said(Alice, e) => e) because this license affects itself. The license set in 
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Example 3.5 is not hierarchical for essentially the same reason. It is not hard to see 
that by restricting the set of queries (e, L, R, E) to those in which L is hierarchical, 
we avoid the type of circularity that causes the problem seen in Example 3.5. In 
the next result and elsewhere, we use #(-X") to denote the cardinality of a set X. 

Proposition 3.8. If d is a closed condition, L is a hierarchical set of licenses, 
S is a set of closed Said conditions, and T is the call tree of an execution of 
Holds2{d,L,S), then the height of T is at most 2#(L) + 1. 

We further restrict the language to avoid the problem seen in Example 3.6. To 
understand our restriction, recall that Auth(e, L, R) first extends R to R' by adding 
all the grants that are issued by someone who has the authority to do so. Since 
all the grants in R' — R are in L, the set R' must be finite. Then Auth creates 
the possibly infinite set i?s consisting of all substitution instances of grants in R 1 , 
and returns {d | d — > e e i?s}. (For simplicity here, we are assuming that Auth 
does not use the subset assumption; the subset assumption does not affect our 
discussion.) Since Auth considers only the grants in i?s whose conclusion matches 
the first input to Auth, we could certainly replace i?s by i?^, where 

i?2 = {dg<j — > e | \/x\ . . .Vx n (d g — ► e g ) € R',a is a closed substitution, and e g a = e}. 

Because e is closed, R'^ is finite if, for every grant g in R' , if the condition of g 
mentions a free variable x, then either x ranges over a finite set or x appears in 
the conclusion of g. Our solution is simply to restrict the language so that every 
grant has this property Since, in our fragment, there arc infinitely many resources 
(grants) and only finitely many principles, this amounts to restricting the language 
so that if Va?! . . . Vx n (d g — > e g ) is a grant, then every free variable of sort Resource 
that appears in d g also appears in e g . We call a grant restrained if it has this 
property; we call a license (p,g) restrained if g is restrained. Thus, for example, 
Va;V2/(Said(0, Perm(a;, issue, y)) — > Perm(^4/ice, issue, y)) is restrained, but nei- 
ther 

VyVz(Said(0, Perm(Alice, issue, y)) — > Perm(^4/ice, issue, z)) 

nor the grant Vx(d(x) e) in Example 3.6 is restrained. It is easy to see that, for 
all restrained grants g = \/x\ . . .Vx n (d g — > e g ) and closed conclusions e, if n is the 
number of primitive principals in the language and \g\ is the length of g, then there 
are at most n' 3 ' grants of the form d g a — > e g a such that a is a closed substitution 
and e g a = e. Thus, by considering only restrained grants and licenses, we solve the 
problem raised in Example 3.6. 

4. FORMAL SEMANTICS 

In this section we provide formal semantics for the XrML fragment described in 
Section 2. We show that the semantics is correct in the sense that it captures 
the output of the (corrected) query algorithm, Query2. We then consider two, 
arguably more intuitive, semantics and show that neither captures Query2.. 

4.1 A Correct Translation 

To give formal semantics to our fragment, we translate licenses in the grammar 
to formulas in a modal many-sorted first-order logic. The logic has three sorts: 
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Principal, Right, and Resource. The vocabulary includes the following symbols, 
where primitivePrin is the application-provided set of primitive principals and 
primitiveProp is the application-provided set of properties: 

— a constant p of sort Principal for every principal p <G primitivePrin; 
— a constant issue of sort Right; 

— a ternary predicate Perm that takes arguments of sort Principal, Right, and 
Resource; 

— a unary predicate Pr that takes an argument of sort Principal for each property 

Pr e primitiveProp; 
— a function U : Principal x Principal — > Principal; 

— a function f g : si x ... x s„ — > Resource for each grant g in the language; if 
xi, . . . , x n are the free variables in g, then Xi is of sort Sj, for i = 1, . . . , n. If g is 
closed, then the corresponding function is a constant that we denote as c g ; and 

— a modal operator Val that takes a formula as its only argument. 

Intuitively, Pr(p) means principal p has property Pr, and Val(^s) means formula tp 
is valid. Notice that every principal in the grammar corresponds to a term in the 
language, because U is a function symbol. 

The semantics of our language is just the standard semantics for first-order logic, 
extended to deal with Val. We restrict attention to models for which U satisfies the 
following standard properties: 

Ul. Vx((xUx) = x) 

U2. VxiVa^Oi U x 2 ) = (x 2 U Zi)) 

U3. VxiViraVxalXiEi U (x 2 U x 3 )) = (( Xl U x 2 ) U x 3 )) 

U4. Va;((a;U0) = x) 

We call such models acceptable. Val(<y9) is true in a model m if ip is true in all 
acceptable models. If a formula ip is true in all acceptable models, then we say that 
ip is acceptably valid. Thus, Val {<p) is true in an acceptable model iff ip is acceptably 
valid. 

The translation takes four finite sets as parameters. They are a set L of licenses, 
a set A of closed resources, a set S of closed Said conditions, and a set E of closed 
conclusions. Roughly speaking, L is the set of licenses that have been issued and 
A is the set of resources that are relevant to a particular application For all XrML 
queries, 5 = and E — 0. (The reader is encouraged to take 5 = E = when first 
trying to understand the details of the semantics.) The input parameter 5 allows 
users to specify a set of Said conditions that do not hold, regardless of L. We also 
use the parameter to insure that the translation of a Said condition does not enter 
an infinite loop. The input parameter E corresponds to the fourth argument of 
Query 2. (Recall that an XrML query asks if a conclusion e follows from a set L 
of licenses and set R of grants; the answer is "yes" if Query2(e, L, R, 0) returns 
true.) By including E, we can give a translation that agrees with the Query2 
algorithm. The translation is defined below, where S L - A ' S - E [ s the translation of 
the string s given input L, A, 5, and E. 

— If Perm(p, issue, g) e E or (p,g) ^ L, then (p,g) L ' A ' S ' E = true. 
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— If Perm(p, issue, 5) ^ E and (p, g) e L, then (p, g) L ' A ' S > E = Perm(p, issue, c g ) => 
gL,A,s,E_ jv^Q^g ^hat we assume g i s closed, because this assumption is built into 
Query. 

-(d g e g ) L > A > s > E = ((A eeB -Val(e^^ & e^^)) A d^ E ) => e^ A > s > E . 

—(Vxtp) L - A ' S ' E = l\ teT {y[x /t]) L > A ' S ' E , wnere T = A if x is of sort Resource, and 
T = P if x is of sort Principal. (Recall that P is the set of principals.) 

— true L ' A ' S ' E = true. 

—If Said(p, e ) L ' A ' s ' E € 5, then Said(p, e ) L > A < s < E = false. 

—If Said(p, e ) L ' A ' s ' E £ S, then Saidfe e) L ' A > s > E = Val((A gefip ^s'^) e L ' A ' S '' $ ), 
where P p = {.9 | (p 1 , g) € L for & p' E p} and S" = S U {Said(p, e)}. 

-(di A d2) L ' A - s ' E = d^' A ' S ' E A ai' A ' S ' E . 
Perm(p, r, s) L ' j4 ' S ' E = Perm(p, r, s*), where s* = s if s is a variable of sort 
Resource, s* = c s if s is a closed grant, and s* = f s (x\, . . . ,x n ) if s is an open 
grant with free variables x\,...,x n . 

—Pv{p) l - a - s - e = Vy{ P ). 

— for every principal p, {p} L > A > s > E = p. 

This translation has two features that seem somewhat inelegant. The first is that, 
in dealing with a universal quantifier, variables are replaced by the constants over 
which they range; the second is the use of the Val operator. In the next section, we 
explain in more detail why we translated in this way. For now, we show that, in a 
precise sense, our translation captures the intended interpretation of the language. 

Note that Said(p, e) L ' A ' S ' E does not depend on E. This matches our intuition 
that the meaning of a Said condition depends only on what principals have said, 
rather than on what is actually true. By adding Said(p, e) to S, we ensure that 
the meaning of the condition does not depend on itself. Finally, observe that 
Said(p, e) L ' A ' S ' E is defined in terms of the translation of potentially more complex 
expressions. Nevertheless, the following result shows that the translation is well 
defined. 

Theorem 4.1. For all strings s in the language and all finite sets L of licenses, 
A of closed resources, S of closed Said conditions, and E of closed conclusions, 
s l,a,s,e ^ s we n defined. 

We believe that our semantics captures the intended meaning of XrML ex- 
pressions, as implied by the specification. To make this precise, we show 
that Query 2 agrees with the semantics on all queries. Specifically, we 
show that for all terminating executions X of Query2(e, L, R, E), X re- 
turns true iff A leL e L ^' E A A„. /,•// • > ; ' => e L ' A ' $ ' E is acceptably valid, 
where A = A(e, L, R, E, X) is the set of closed resources that appear in 
the first argument of a call to Query2, Auth2, or Holds2 during execu- 
tion X. Intuitively, A is the set of resources relevant to answering the query 
{e,L,R, E). For example, suppose that, during a particular execution X of 
Query2(e, L, R, E), Holds2(Said(p, Perm(j/, issue, Perm(p", issue, g))),L, S) 
is called. Then A(e,L,R,E,X) includes Perm(j/', issue, g) and g. Notice that if 
X is a terminating execution, then A(e, L, R, E, X) is finite. 
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Theorem 4.2. Suppose that (e, L, R, E) is a query and X is a terminating ex- 
ecution of Query2(e, L, R, E). Then X returns true iff 

f\ £ L - A ^ E A /\ g L ' A ^ E => e L ' A -^ E 

is acceptably valid, where A = A(e, L, R, E, X) . 
4.2 Two Alternative Translations 

We now discuss why we captured universal quantification by replacing variables by 
constants and the need for the Val operator. We do so by giving two arguably more 
natural alternative translations that do not have these "features", and showing 
where they go wrong. While this does not show that there is no correct translation 
that translates universal quantification as universal quantification, and does not 
use Val, it does show why finding such a translation is nontrivial. 

For all strings s in our fragment, let S L ' A ' S ' E be a translation of s, where L, A, 
S, and E are as defined in Section 4.1. The formula s L ' ' S ' E is identical to S L ' A,S ' E 
except that (Vxip) L ' A ' S ' E = Vx(tp L ' A ' S ' E ). Notice that the new translation often 
leads to more concise formulas and does not depend on the input parameter A. 
Unfortunately, this translation does not interact well with our use of Val when it 
comes to universally quantified formulas involving Said. The following example 
shows why we rejected this translation. 

Example 4.3. Suppose that Alice may issue any grant. Alice issues the grants 
"if I say some principal p is great, then p is also good" , "if I say Bob is good, then 
Charlie is great", and "Bob is great." Can we conclude that Charlie is good? 

To answer our question using Query2, let L = {(Alice, gA), [Alice, gs), {Alice, gc)} 
and consider Query2(Good(C/iar^e), {(Alice, gA), L, R, 0), where 

gA = Va;(Said(T/ice, Great(.x)) — > Good(x)), 

gs = Said(^/ice, Good(Bob)) — > Great(Charlie), 

gc = Great (Bob) 

R = {Va;(Perm( J 4/ice, issue, a;))} 

It is not hard to see that the algorithm returns true (i.e., Charlie is good), which 
is the intuitively correct answer. Roughly speaking, the algorithm deduces that 
Charlie is good if Alice says he is great; Alice says Charlie is great if Alice says Bob 
is good; Alice says Bob is good if Alice says Bob is great; and Alice does indeed 
say Bob is great. 

To answer our question using the revised translation, we need to determine the 
validity of the formula 

(f\ £f' ' 0,0 A Vx(Perm( Alice, issue, x))) => Good(Charlie). 

It is easy to see that this formula equivalent to 

Gu)f ,0 ' M A (g B )[ - < M A (g c ) L ^ => Good(«e). 

Clearly, (g c )[ 333 = (g C ) LfiAfi = Great(Bob). In the original translation, 
we combine Great(_So&) with (su) L ' ' ' to conclude Great(_Bo&), then combine 
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Great(5o&) with (gA) L ^^'^ to derive Goo d( Charlie); that is, the formula corre- 
sponding to the query is valid under the original translation. Unfortunately, the 
latter two steps fail with the revised translation. As suggested above, the problem 
lies in the interaction of quantified formulas and Said in gA- Consider the first 
step. Note that (gu) 1 '' ' ' is equivalent to a conjunction of which one conjunct is 
(Said(^4/ice, Great(Bob)) — ► Good(_Bo&)). When combined with Great(Bob), we 
can indeed conclude Good(Bob). On the other hand, with the revised translation, 

/ nL. 0,0,0 • 

Vx(Val((. 9B )^ 0JJ A (gc)ri 0,0,0 Great^)) =► Good(a;)). 

The Val formula is vacuously false, so (<ju)^' ' is vacuosuly true, and does not 
help in concluding Good(_So&). Thus, the formula corresponding to the query is 
not valid under the revised translation; we do not get the intuitively correct answer. 
□ 

Next, suppose that we modify our original translation so that the Val operator 
is not used. In particular, we fix the input parameter E to be the empty set and 
remove the validity operator from the translation of Said conditions. For all strings 
s, let s^'' 4 ' 5 ' be the translation of s that is identical to s L ' A ^ S ' <tl except that, if s 
is of the form ll d g -» e g " , then s^ A - SA = d^ A ' Sfi e^ 4 ' 5 ' and, if s is of the 

form Said(p,e) and s <£ S, then Said(p, e)\ ^' S ' = (A geRp A A ' S ' fi ) e^ A ' S ' fi , 
where R p = {g \ (p 1 , g) <G L for a p' S p} and S' = S U {Said(p, e)}. Observe that 
every translated string is a variable-free formula in first-order logic. The following 
example illustrates a problem with this translation. Roughly speaking, the problem 
is that, according to the translation, every statement that follows from the given 
licenses and grants is said by every principal. 

Example 4.4. Suppose that Alice cheated on an exam and, if Alice admits that 
she cheated, then she is trusted. Is Alice trusted? Intuitively, the answer is "no" 
because Alice has not confessed. 

To answer the question using Query2, we ex- 

ecute Query2(Trusted(AZice),0,ii,0), where R = 

{Cheated( Alice), Said( Alice, Cheated( Alice)) — > Trusted (.4/zce)}. It is 
not hard to see that Query2 returns false, indicating that Alice is not trusted. 
Specifically, the algorithm determines that Alice is trusted only if Alice said she 
cheated and Alice has not done this. 

To answer the question using the revised translation, we determine the validity of 
the formula (Cheated(i4/zce)A((true =>■ Cheated(^^ce)) => Trusted( J 4/ice))) => 
Trusted(^iice). Standard manipulations show that the formula is logically equiva- 
lent to (Cheated(AZice)A(Cheated(AZice) => Trusted (Alice))) Trusted (Alice), 
which is valid. So, if we use the revised translation, we conclude that Alice is 
trusted. 

If we use the translation in Section 4.1, then we determine that Alice is not 
trusted. This is because Val "isolates" the Said condition from the statements im- 
plied by the given grants and the issued licenses. As a result, Said(Alice, Cheated^i. 
holds only if the grants issued by Alice, in isolation, imply Cheated( J 4/ice); that is, 
Said( Alice, Cheated( Alice)) holds only if Val (true =>■ Cheated(ylZice)) is true. 
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Since true => Cheated(^4iice) is not an acceptably valid formula, we conclude 
that Said(^4/ice, Cheated(^Hce)) does not hold and, thus, Trusted(^Hce) does 
not hold. □ 

5. COMPLEXITY 

To answer a query (e, L, R, E), we need to determine whether an execution of 
Query2(e, L, R, E) returns true. We claimed earlier that the problem of answering 
queries is, in general, undecidable. We now formalize this claim. Recall that a grant 
g is restrained if every variable of sort Resource mentioned in the antecedent of g 
is mentioned in the conclusion of g. We say that a grant g is in a set L of licenses 
if (p> 9) € L for some principal p. A grant g is in R U L, for some set R of grants, 
if g is in R or g is in L. 

Theorem 5.1. Determining whether some execution of Query 2(e, L, R, E) re- 
turns true is undecidable for the set of queries (e, L,R, E) such that at most one 
grant in R\J L is not restrained. 

Let £n be the set of queries (e,L,R,E) such that every grant in R U L is restrained. 
In this section, we examine the computational complexity of answering queries for 
fragments of £n. 

We first show that the problem of answering queries for the full language £ is 
NP hard for two quite different reasons. The first stems from the fact that, if there 
are n primitive principals, we can construct 2™ principals using the U operator. 
The second is that, to answer a query, we might need to determine if exponentially 
many closed Said conditions hold. 

We use the following definitions to state our results. C\ is the set of queries that 
do not mention the U operator. A grant g is n-restricted if the number of variables 
of sort Principal that are mentioned in the antecedent of g and not in the conclusion 
of g is at most n. £?> ls the set of queries (e, L, R, E) such that all grants in RUL are 
n-restricted. A call Holds2(d, L, S) is h-bounded if the call tree for every execution 
of Holds2(d, L, S) has height at most h. Note that Proposition 3.8 shows that if 
L is a hierarchical set of licenses, then Holds2(<i, L, S) is (2#(L) + l)-bounded. 
£3 is the set of queries (e, L, R, E) such that if an execution of Query2(e, L, R, E) 
calls Holds2(<i, L, S), then Holds2(d, L, S) is /i-bounded. The next result shows 
that deciding if at least one execution of Query2 returns true is hard, even if we 
restrict to queries in £ that satisfy any two of the following: the union operator 
is not mentioned (i.e., restrict to £1), the query is n-restricted for some fixed n, 
or all calls made during an execution of the query are /i-bounded for some fixed h. 
(We show shortly that the set of queries in £ that satisfy all three restrictions is 
tractable.) 

For a formula ip, let \(p\ be the length of ip when viewed as a string of symbols. 
For a set S, let |5| be the length of S; that is |5| = S se g|s|. Finally, we abbreviate 
primitivePrin, the set of primitive principals, as P . 

Theorem 5.2. The problem of deciding if some execution of Query 2(e, L, R, E) 
returns true for (e, L, R, E) e C a n C n CJ is N P -hard for C, £ e {£1, £§,£§}. 

If we make all three restrictions (that is, restrict to queries in £ n£in£2 fl^, for 
some fixed n and h), then determining whether a query returns true is decidable in 
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polynomial time. However, as we might expect in light of Theorem 5.2, the degree of 
the polynomial depends on n and h, and the polynomial involves constants that are 
exponential in n and h. Note that, for queries in ^n^ifl^n^, all executions of 
Query2 terminate and return the same answer. Termination is fairly easy to show 
since every call tree of an execution of Query2(e, L, R, E) has a finite branching 
factor if (e,L,R,E) e £ , and has finite height if (e,L,R,E) e £3. The fact 
that all executions of Query2(e, L, R, E) return the same output for all queries 
(e, L, R, E) e C a n £1 n ££ n £§ follows easily from Proposition 3.7(b). 

Theorem 5.3. For fixed n and h, if (e, L, R, E) E £ n £1 n £g n £3 then 
determining whether Query2{e 1 L, R, E) returns true takes time 0(\L\ \E\ + (\R\ + 
ILDdLl^dil + liZI + lel) 2 )). 

The big-0 notation is hiding some rather complex (and uninformative) terms that 
are functions of n and h; we spell these out in the appendix. 

In practice, we believe that queries are often in £0 and, as shown in Proposi- 
tion 3.8, if we restrict to queries where the set L of licenses has size at most h and 
is hierarchical (which we expect in practice will often be the case), than all call 
trees that arise are guaranteed to have height at most 2h + 1. Thus, in practice, we 
expect that we can restrict to queries in £3 and £3 for relatively small values of 
n and h. Moreover, even for larger values of n and h (say, as large as 10), as long 
as the union operator does not appear, we expect that queries can be answered 
efficiently, because the upper bound is quite conservative. 

How reasonable is it to restrict to queries in L\ that do not mention the U 
operator? We believe that XrML without the U operator is sufficiently expressive 
for many applications. To examine the effect of not using the U operator, note that 
principals appear as the first argument in a license, in a Said condition, and in a 
conclusion. 

— According to the XrML documentation, the license ({pi, . . . ,p n },g) is an abbre- 
viation for the set of licenses {(p, g) | p e {pi, . . . ,p„}}. It follows that we can 
restrict the first argument of licenses to primitive principals and variables with- 
out sacrificing any expressive power. (In fact, we can restrict the first argument 
of licenses to only primitive principals, because Query assumes that if (p, g) is 
a license in L, then p is variable-free.) 

— We can replace all conditions of the form Said({pl, . . . ,p n }, e), where pi, . . . ,p n 
are primitive principals, by a condition Said({pi, . . . ,p n }* , e), where {pi, . . . ,p n }* 
is a new primitive principal, and then expand the set L of issued licenses by 
adding a new license ({pi, . . . ,p n }* ,9) for every license (p, g) already in L, where 
p € {pi, . . . ,p„}. It is not hard to show that this results in at most a quadratic 
increase in the number of grants. Thus, as long as the first argument to Said is 
variable-free, we can express it without using U. 

— To understand the impact of our restriction on conclusions, we need 
to consider the meaning of statements such as Trust({Alice, Bob}) 
and Perm({Alice, Bob}, issue, g). According to the XrML document, 
Trust({AZzce, Bob}) means Alice and Bob together (i.e., when viewed as a single 
entity) is trusted; Per m({ Alice, Bob} , issue, g) means Alice and Bob is permit- 
ted to issue g. However, the XrML document does not explain precisely what it 
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means for Alice and Bob to be viewed as a single entity. Indeed, it seems to treat 
this notion somewhat inconsistently (recall the inconsistent use of the subset as- 
sumption). There are other difficulties with sets. Notice that if {Alice, Bob} 
is permitted to issue a grant, then presumably g holds if {Alice, Bob} issues g. 
However, according to the XrML documentation, the license {{Alice, Bob},g) is 
simply an abbreviation for the set of licenses {({Alice}, g), ({Bob}, g)}. So it is 
unclear whether a principal that is not a singleton can issue a license. Further- 
more, if principals that are not singletons can issue grants and {Alice, Bob} is 
permitted to issue a grant g, then it seems reasonable to conclude that g holds 
if g is issued by both Alice and Bob, but it is not clear whether g holds if it is 
issued by only Alice (or by only Bob) . 

There may well be applications for which these notions have an obvious and 
clear semantics. But we suspect that such applications typically include only a 
relatively small set of groups of interest. In that case, it may be possible to simply 
take these groups to be new primitive principals, and express the relationship 
between the group and its elements in the language. (This approach has the 
added advantage of forcing license writers to be clear about the semantics of 
groups.) 

In short, we are optimistic that many applications do not need the union function. 
6. THE ENTIRE XRML LANGUAGE 

XrML has several components that are not in our fragment. Most have been ex- 
cluded simply for case of exposition. That is, our work can be extended in a 
straightforward way to a much larger fragment of XrML. In this section we list the 
main omissions, briefly discussing each one. Giving formal semantics to the entire 
XrML language remains an open problem. 

—XrML supports patterns, where a pattern restricts the terms over which a vari- 
able ranges. For example, if the variable x is restricted to the pattern "ends in 
Simpson", then x ranges over the terms that meet this syntactic constraint (e.g., 
x ranges over {H omer Simpson, MargeSimpson, ...}). Our semantics includes 
the patterns that correspond to properties in our fragment. Continuing the ex- 
ample, we could capture the pattern "ends in Simpson" by having the property 
Simpson in the language and having the set of grants determine which terms 
have the property. 

XrML also allows a pattern to be a set of patterns. We can express a set of 
patterns as a conjunction of patterns. Since we can express conjunctions of 
properties in our fragment, we can also capture sets of the corresponding patterns. 
Patterns can be written in any language that the writer chooses. The default 
is to write patterns as XPath expressions. First-order logic is not well-suited 
to capturing XPath expressions; the situation may be even worse with other 
languages. Therefore we do not believe our semantics can be easily extended to 
include all patterns. The significance of this limitation is not yet clear. 

— XrML supports delegable grants. A delegable grant g can be viewed as a conjunc- 
tion of a grant g' in our fragment and a set G of grants that, essentially, allow 
other principals to issue g'. For example, the delegable grant "Doctor Alice may 
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view Charlie's medical file and she may also give the right to view the file to her 
colleague, Doctor Bob" can be viewed as the conjunction of the grant "Doctor 
Alice may view Charlie's medical file" and the grant "Alice is permitted to issue 
the grant 'Doctor Bob may view Charlie's medical file' " . 

The XrML specification also supports more general types of delegation. For 
example, in XrML, we can say "Doctor Alice may view Charlie's medical file and 
may delegate this right to anyone under any condition that she specifies." The 
extent to which our semantics can capture delegation, as defined in the XrML 
specification, is an open problem. 

— XrML supports grantGroups, where a grantGroup is a set of grants. We can 
extend our syntax to support grantGroups by closing the set of grants (as cur- 
rently defined) under the union operator. Note that our proposed treatment of 
grantGroups is quite similar to our current treatment of principals. 

— XrML has variables that range over conditions. It is not clear how this capability 
is intended to be used in practice. Our hope is that the practical applications will 
translate easily to our fragment. Examining this issue is left as an open problem. 

XrML includes rights, resources, and conditions that are not in our fragment. 
There should be no difficulty in extending our translation to handle these 
new features, and proving an analogue of Theorem 4.2. But we might not 
be able to answer queries in the extended language. The problem is that 
XrML allows resource terms to be formed by applying functions other than 
U. For example, MPEG-21 REL extends XrML by defining a container re- 
source that is a sequence of resources. This naturally translates to a function 
container: Resource x Resource — ► Resource, so that the container (si,S2,S3) is 
translated as container(si, container^, s 3 )). Allowing such functions makes the 
problem of deciding if a conclusion follows from a set of XrML licenses and grants 
undccidablc, for much the same reason that the validity problem for negation- free 
Datalog with function symbols is undecidable [Nerode and Shore 1997]. 

- XrML allows an application to define additional principals, rights, resources, and 
conditions within the XrML framework. Obviously, we cannot analyze terms that 
have yet to be defined; however, we do not anticipate any difficulty in extending 
the translation to deal with these terms and getting an analogue of Theorem 4.2. 

— XrML allows licenses to be encrypted and supports abbreviations via the Inven- 
tory component. However, the XrML procedure for determining if a permission 
follows from a set of licenses assumes that all licenses are unencrypted and all 
abbreviations have been replaced by the statements for which they stand. In 
other words, these features arc engineering conveniences that are not part of 
understanding or reasoning about licenses. 

7. NEGATION 

We believe that many license writers will find it important to deny permissions 
explicitly and to state conclusions based on whether a permission is granted, denied, 
or neither granted nor denied by a particular principal. For example, Alice's mother 
might want to say "Alice is not permitted to enter the adult website", a teacher 
might want to say "if the university does not object, then Alice is permitted to 
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audit the class" , and a lawyer might want to say "if the hospital permits an action 
that the government forbids, then the hospital is not compliant" . 

We can write these statements in XrML by using special "negated predi- 
cates". For example, we can write Prohibited (Alice, enter, adult website) 
to capture "Alice is not permitted to enter the adult website' 1 , 
NotSaid(University, Prohibited(Alice, audit, class)) to capture "the univer- 
sity does not say that Alice is not permitted to audit the class" (i.e., the university 
docs not object to Alice auditing the class), and NotCompliant(Hospital) to 
capture "the hospital is not compliant" . We remark that this approach of using 
"negated predicates" has appeared before in the literature [Jajodia et al. 1997; 
Becker and Sewell 2004]; it is essentially the technique used by XACML [Moses 
2005], another popular license language. 

Adding negated predicates to XrML is straightforward; reasoning about state- 
ments in the extended language is not. One problem is that we have to han- 
dle statements that are intuitively inconsistent. For example, consider the grants 
Perm(Alice, issue, g) and Prohibited(Alice, issue, g), which say that Alice is 
permitted and prohibited to issue the grant g. It is not clear what we should con- 
clude from these grants. In particular, it is not clear if Alice should be allowed to 
issue g. (The languages that include negated predicates typically require the policy 
writer to specify how inconsistencies should be resolved.) 

Other problems arise if we extend XrML so that the set of conditions includes 
Pr(p) and NotPr(p), in addition to Said(p, e) and true. 

Example 7.1. Suppose that a company allows employees to access their server 
and allows nonemployees access if they sign a nondisclosure agreement. If Alice 
cannot prove that she is an employee, can she still get access to the server by 
signing a nondisclosure agreement? Intuitively, she should be able to, because Alice 
is either an employee, in which case she has permission, or she is not an employee, 
in which case she still has permission because she signed the waiver. However, if 
we express the query in the obvious way (using negated predicates), then Alice is 
not permitted, because 

SignedWaiver (Alice) A Va;(Employee(a;) Perm(:r, access, server))A 
Vx(NotEmployee(a;) A SignedWaiver(x) => Perm(a;, access, server)) => 
Perm(Alice, access, server) 

is not valid. □ 

To address the unintuitive behavior shown in Example 7.1, we could replace the 
negated predicates by a negation operator, which is the standard approach in logic. 
Let XrML^ be XrML extended so that the set of conditions includes ^Said(p, e) as 
well as Said(p, e), and the set of conclusions includes ^Pr(p) and ^Perm(p, r, s), 
as well as Pr(p) and Perm(p,r, s). There is no problem extending the seman- 
tics of XrML to XrML^. Moreover, by replacing NotEmployee in Example 7.1 



1 Since XrML allows the application to define only additional principals, rights, resources, and 
conditions, we cannot add Prohibited to XrML without extending the framework, but the ex- 
tension is so minor that we ignore it here; moreover, there are no implications as far as complexity 
goes. 
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by -lEmployee, we get the intuitively correct answer. The downside of allowing 
negation is intractability. Recall that £ H L\ n L\ n C\ is a small fragment of 
XrML: the licenses in this fragment do not mention the U operator, every variable 
in the antecedent of a grant appears in its conclusion, and the execution tree for 
all calls to Holds2 has height at most two. Theorem 5.2 shows that queries in 
C n L\ n £° ^ £3 are tractable; however, as we now show, adding negation to this 
relatively small language makes it intractable. 

Theorem 7.2. Let (e,L,R, E) be a tuple in £nn£i n/^ 1 "^! extended to include 
negated Said conditions and negated conclusions. The problem of deciding whether 



is valid is NP-hard. This result holds even if e, all of the licenses in L, and all of 
the conclusions in E are in XrML, all but one of the grants in R is in XrML, and 
the one grant that is in XrML"' - XrML is of the form Mx\ . . . Va: n (-ie). 

We are currently investigating whether there is a tractable fragment of XrMLT 
that is sufficiently expressive to capture the grants and licenses that are of practical 
importance. We expect that some ideas from our work on Lithium [Halpern and 
Weissman 2003] will prove useful in this regard. 

8. MPEG-21 REL 

MPEG-21 is an international standard that is based on XrML. In [Halpern and 
Weissman 2004], we give semantics to a beta version of MPEG-21. All of the 
problems discussed in Section 3.2 are present in the beta version. We reported 
these issues to Xin Wang and Thomas DeMartini of the MPEG-21 working group 
before the final version was released, and our concerns were addressed in the final 
version (although not exactly as specified in Section 3.3). 

The key differences between XrML and MPEG-21 are as follows. 

MPEG-21 consistently makes the subset assumption; a principal {p\, . . . ,p n } has 
all of the properties and permissions of principal p it for i = 1, . . . , n. 

— A Said condition takes a trustRoot s and a conclusion e. No definition of trust- 
Root is given in the specification; rather, it is assumed that the application 
will associate with every trustRoot s, set L of licenses, and set R of grants a set 
G(s, L, R) of grants. Said(s, e) holds if the set L of issued licenses and G(s, L, R) 
together imply e, where R is the set of grants that implicitly hold. 

— Rather than defining an algorithm, MPEG-21 says that L and R imply e if there 
is a proof tree that shows the result holds. Roughly speaking, a proof tree t shows 
that L and R imply e if (a) t includes a grant g that implies e if certain conditions 
hold; (b) for each of these conditions, t includes a proof tree showing that the 
condition does, in fact, hold, and (c) either g is in R or, for some principal p, 
(p, g) is in L and t includes a proof tree showing that p is permitted to issue g. 

We believe that the translation and corresponding proof of correctness given in 
Section 4.1 can be modified in a straightforward way to apply to MPEG-21. If this 
is indeed the case, then an appropriately modified Query2 can be used to answer 
queries about licenses and grants that are written in MPEG-21. 
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9. CONCLUDING REMARKS 

XrML is a popular language that does not have formal semantics. Since there are 
no formal semantics, we cannot argue that the XrML algorithm is incorrect, but 
its behavior on certain input does seem unreasonable. To address the problem, we 
modified the algorithm, provided formal semantics for an interesting fragment of 
XrML, and showed that the modified algorithm corresponds to our semantics in a 
precise sense. 

We have examined only a fragment of XrML. A key reason for XrML's popularity 
is that the framework is extensible; applications can define new components (i.e., 
principals, rights, resources, and conditions) to suit their needs. We do not believe 
there will be be any difficulty in giving semantics to the extended language. The 
real question is whether we can find useful tractable extensions. As we have already 
seen, functions pose no semantic difficulties, but adding them makes the problem 
of answering queries in XrML undecidable. Another obvious and desirable feature 
is negation. Currently, XrML does not support negation in either the condition or 
conclusion of grants. This is a significant expressive weakness. Without negation, 
license writers cannot forbid an action explicitly nor can they say that a conclusion 
holds if a permission is denied or unregulated by a particular principal. While 
it is easy to extend XrML to include negation, doing so without placing further 
restrictions on the language makes it intractable. We suspect that we can use 
our earlier work [Halpcrn and Weissman 2003] to find a fragment of XrML with 
negation that is tractable and substantially more expressive. 

Of course, it remains an open question whether XrML (or some extension of it) 
is the "best" policy language to use to for rights managment (and, more gener- 
ally, trust management). Many languages have been proposed to do this, including 
XACML [Moses 2005], ODRL [Iannella 2001], numerous variants of Datalog [De- 
Trcvillc 2002; Li ct al. 2003; Li ct al. 2002; Becker and Sewell 2004; Jim 2001], 
SPKI/SDSI [Halpern and van der Meyden 2003; Li and Mitchell 2006; Ellison et al. 
1999b; 1999a], and our own language Lithium [Halpern and Weissman 2003]. As 
the references above indicate, a number of these have even been given semantics 
using first-order or modal logic. Comparing the strengths and weaknesses of all 
these approaches (and the semantic methods used to capture them) remains an 
open direction for future research. 

Our work emphasizes the need for collaboration between language developers 
and the formal methods community. Our analysis of XrML demonstrates that a 
language without formal semantics is prone to ambiguities and inconsistencies, even 
if that language is carefully crafted and reviewed by industry. The good news is 
that collaborations are possible. The XrML developers that we contacted answered 
our questions and listened to our concerns. When they designed the next version 
of XrML, which is the ISO Standard MPEG-21 REL, they did not make the same 
mistakes. 
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A. PROOFS 

Proposition 3.7. For all closed conditions d and sets L of licenses, 

(a) every execution of Holds(d, L) that terminates returns the same output, 

(b) every execution of Holds2(d,L,$) that terminates returns the same output, 

(c) if an execution of Holds(d, L) terminates by returning the truth value t, then 
an execution of Holds2{d, L,^i) terminates by returning t. 

Proof. Parts (a) and (b) are immediate from the description of the Holds and 
Holds2. To prove part (c), say that a call tree for Holds(d, L) is non-repeating if 
it is not the case that there exists a path p in the call tree and two nodes n\ and 
n 2 on the path such that both nodes are labeled by the same call to Holds. If 
Holds(d, L) terminates, then it has a finite call tree. Moreover, it is easy to see 
that if there is a finite call tree for Holds(<i, L), then there is a nonrepeating call 
tree: If there is a call to Holds(d',i') at two nodes on a path, we simply replace 
the subtree below the first call to Holds(d',L') by the subtree below the last call 
to Holds(d', L'). A non-repeating call tree for Holds(<i, L) is essentially a call tree 
for Holds2(c£, L, 0); the same calls are made at every step (the third component 
has to change appropriately). □ 

For the proofs of Proposition 3.8 and Lemma A. 11, we rely on the observation 
that, if T is the call tree for an execution of Holds2(<i, L, S), then T can be viewed 
as an and-or tree, where a node labeled Holds2(d', L, S') is an and node if d' is a 
conjunction with at least two conjuncts, an or node if d' is a Said condition and 
Holds2((f, L, S') makes at least one recursive call, and a leaf if d' is true or if 
d' is a Said condition and Holds2(rf', L, S') makes no recursive calls. For future 
reference, note that each node in T can be assigned a truth value in an obvious 
way. An and node is assigned "true" if all its children are; an or node is assigned 
"true" if at least one child is; a leaf labeled Holds2(true, L, S') is assigned "true"; 
and a leaf labeled Holds2(Said(p, e), L, S') is assigned "false". 

Proposition 3.8. If d is a closed condition, L is a hierarchical set of licenses, 
S is a set of closed Said conditions, and T is the call tree of an execution of 
Holds2(d, L, S), then the height of T is at most 2#(L) + 1. 

Proof. Because L is hierarchical, there exists a strict partial order -< on licenses 
such that, if I and £' are licenses in L and I affects £' , then £-<£'. A node v in 
T is a non — and node if v is an or node or a leaf. It follows from the description 
of Holds2 that every and node has at least two children and every child of an 
and node is a non — and node. So, if a path in T from the root to a leaf has n 
non — and nodes, then that path has at most 2n total nodes; thus, it suffices to 
show that every path in T has at most #(£) + 1 non — and nodes. If L = 0, then it 
is immediate from the description of Holds2 that T has height at most 1. Suppose 
that 1^0. Then, for every path t in T, either t includes at most 2 non — and 
nodes, in which case t mentions at most #(£) + 1 non — and nodes, or t includes 2 
non — and nodes Vi and Vj such that an or node precedes Vi, which precedes Vj, and 
no or node is between Vi and Vj. If Vi has a label of the form Holds2(c?i, L, Si) and 
Vj has a label of the form Holds2(dj,L,Sj), then it follows from the description 
of Holds2 that there are licenses (pi,gi) and (pj,gj) in L and closed substitutions 
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<Tj and <jj such that the antecedent of <?i under <Ji mentions d,; the antecedent of 
gj under Uj mentions dj\ and (pj,gj) affects (pi,gi). Thus, (pj,gj) -< (Pi,gi)- It 
follows that t has at most #(£) + 1 non — and nodes. □ 

Definition A.l. Suppose that (e,L,R,E) is a query, X is an execution of 
Query2(e, and A = A(e, L, R, E, X). Define 

£*(e,L,R) = {Perm(p, issue, g) | (p, g) E L} U {e}. 

S*(e,L,R,E,X) = {Said(p, Pr(p')) | p,p' G P and Pr <G primitiveProp}U 
{Said(p, Perm(j/, issue, g)) \p,p' £ P and g e ^4}. 

□ 

Theorem 4.1. For all strings s in the language and all finite sets L of licenses, 
A of closed resources, S of closed Said conditions, and E of closed conclusions, 
s l,a,s,e j s we n defined. 

Proof. Let Sl be the set of Said conditions that are mentioned in issued grants; 
that is, Said(p, e) € Sl iff there is a license (p',g) <G L such that g mentions 
Said(p, e). Let S s be the set of Said conditions mentioned in s. Finally, let Sl, s — 
Sl U S s . We define a lexicographic order on the tuples (s, S) such that (s,S) < 
(a', S') iff either (a) #(S L , S - S) < #(S L , S - S') or (b) #(S L , S - S) = #(S L , S - S') 
and \s\ < \s'\. The proof is by induction on this ordering. If #{Sl, s — S) = and 
\s\ = 1, then s L ' A ' S ' E = s, so the translation is well defined. The inductive step is 
trivial except when s = Said(p, e) and s ^ S. 

Suppose that s is of the form Said(p, e) and s £ S. Recall that 

Said(p, e )^ s < £ - Val( f\ g L - A ' S '-» => e L ^ s '^), 

g£R p 

where R p — {g\ (p' , g) € L for a p' £ p] and S' = S U {Said(p, e)}. Because L is a 
finite set, R p is a finite set and because e is a conclusion, e L ' A - s ,0 is well defined. So, 
to prove that Said(p, e ~) L > A ' S ' E [ s well defined, it suffices to show that g L - A ' S > is well 
defined for all g € R p . Suppose that s S L - Then #(S L . g - S') = #(Sl - S") since 
S L , g = S L : #(Sl - S') = #(S L - S) since a £ S L ; #{S L - S) < #(S L - S U {s}) 
since s £ Sl', and #(5'l — S U {.s}) = #(Sl,s — S) since s £ S. So, putting the 
pieces together, #(SL, g — S") < #(Sl,s — S) and, by the induction hypothesis, 
g L,A,s',$ ig well denned . Suppose that s e S L . Then #(S i>fl - S') = #{S L - S') 
since S L , g = S L ; - S') < #{S L - S) since a € S L - S; and #{S L - S) = 

#(Sl,s — S) since s e L. Again, putting the pieces together, #(5 , l ;9 — S') < 
#(<Sx, s — S), so g L - A - s < is well defined by the induction hypothesis. □ 

We next prove Theorem 4.2. We actually prove a stronger result, given as The- 
orem A. 9; Theorem A. 9(c) is Theorem 4.2. The next five lemmas provide a deeper 
understanding of the properties of the Query2, Auth2, and Holds2 algorithms 
and the translation, and are used in the proof of Theorem A. 9. 

Lemma A. 2. Suppose that (e,L,R,E) is a query. Then during an execution X 
of Query2(e,L,R,E) 

(a) every call made to Query 2, Auth2, and Holds2 takes L as its second argu- 
ment; 
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(b) every call made to Query 2 and Auth2 takes R as its third argument; 

(c) if Query 2{e' , L, R, E 1 ) is called, then e' £ £*(e,L,R); 

(d) if Auth2(e' , L, R, E') is called, then e' £ £*(e,L,R); and 

(e) if Holds(d,L,S) is called, then every conjunct of d is in S*(e,L,R,E,X) U 
{true}. 

Proof. Parts (a) through (d) follow immediately from the descriptions of Query2, 
Auth2, and Holds2. For part (e), suppose that Holds(d, L, S) is called. Because 
d is a closed condition, every conjunct of d is either true or of the form Said(p, e'), 
where p is a closed principal and e' is a closed conclusion. If e' is of the form 
Pr(p'), then Said(p, e') is clearly in S*(e,L,R,E,X). Otherwise, e' is of the form 
Perm(p', issue, g). Because e' is an input to a call made during X and g is men- 
tioned in e', g £ A(e, L, R, E, X). □ 

Lemma A. 3. Suppose that (e, L, R, E) is a query such that e £ E, A is a set of 
closed resources, and S is a set of closed Said con ditions. Then f\ eeL £ L ' A < S < E A 
/\ g eR9 L ' A S ' E ^ e L ' A - s - E is not acceptably valid (and hence not valid). 

Proof. Let to be an acceptable model that satisfies e ' L > A > s > E iff e ' ^ e. Recall 
that, for a grant g = Mx\ . . .\lx n (d g — » e g ), g L > A > s > E is a conjunction of formulas of 
the form 

( f\ ^Va\(e L > A ' S ' E & (e g a) L ' A ' S > E ) A (d g a) L ^ E ) => (e g a) L ' A ' S ' E , 

where a is a closed substitution. If e £ E, then to satisfies g L ' A > s > E because, 
for all substitutions a, either (e g a) L ' A - s - E ^ e L > A > s > E ^ i n which case m satisfies 
{e g a) L > A > s > E , or {e g o) L > A ' s ' E = e L > A > s > E , in which case /\ eeE ^\/a\(e L > A S E 
(e g a) L ' A ' S ' E ) is equivalent to false. Since to satisfies every grant, to satisfies 
f\,, , l' X S I ' : A f\ geR g L,A ' S ' E ■ By construction, m docs not satisfy e 1 ' 1 '^, so 
to does not satisfy /\ eeL l L > A > s > E A f\ geR g L ' A < S ' E e L < A ' S ' E '. □ 

Lemma A. 4. Suppose that (e, L, R, E) is a query, A is a set of closed resources, 
and S is a set of closed Said conditions. Then (a) e ' L - A - s - E = e 'L,A,S,(Eu{e}) j or 
every closed conclusion e' in the language, (b) g L > A > s > E g L ,A,S,{Eu{e}) j s va n^ J 0r 
every grant g in the language, and (c) £ L > A > S > E £L,A,s,{Eu{e}) - g va n^ j or every 
license £ in the language. 

Proof. Part (a) follows immediately from the translation. 

For part (b), let g = Vxi . . .\/x n {d g — ► e g ). It is easy to see that g L > A ' S ' E 
g L,A,S,(Eu{e}) ig vaM ifj for all cloged substitutions a, d g <j L ' A ' S '^ Eu ^ d g a L ' A ^ E 
is valid. The latter statement holds because the translation of a condition does not 
depend on the final input argument (i.e., the set of conditions), so d g a L - A - s ^ Eu ^ e ^ — 

For part (c), let I = (p, h). If Perm(p, issue, h) £ E U {e} or (p, h) £ L, then 

£L,A,S,(EU{e}) = true go ^^S.E ^ £L,A,S,(EU{e}) j g yaM ^ jf p erm fa issuej ft) £ 

E U {e} and (p, h) £ L, then £ L > A > S > E = Perm(p, issue, c h ) h L ' A ' S ' E and 
e L,A,s,(Eu{e}) = Perm(p, issue, c h ) =► / l L " 4 ' S ' (Bu(e)) . It follows that £ L ^ E => 

£L,A,S,(Eu{e}) ig vaM if h L,A,S.E ^ h L,A,S,(Eu{e}) j g yaUd The formu]a j g 

valid by part (b). □ 
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Definition A. 5. For a set A of closed resources, an A-closed substitution a is 
a closed substitution such that, for all variables x of sort Resource, a(x) el D 

Lemma A. 6. Suppose that G is a set of grants, L is a set of licenses, A is a 
set of closed resources, S is a set of closed Said conditions, E is a set of grants, 
and e is a closed conclusion. Then /\ geG g L ' A ' S ' E e L,A,s,E ^ acceptably valid iff 
gL,A,s,E _^ c l,a,s,e j s acceptably valid for some g € G. Moreover, for any grant g, 
gL,A,s,E _^ c l,a,s,e ^ s acceptably valid iff e £ E and, for some A-closed substitution 
a, the formula d g o~ L ' A ' S ' E is acceptably valid and e g a = e. 

PROOF. We first show that A g eG g L ' A ' S ' E => c l,a,s,e j s accep tably valid iff 
gL,A,s,E _^ c l,a,s,e j g acceptably valid for some g € G. The "if" direction is trivial. 
For the "only if" direction, suppose by way of contradiction that /\ ge c g L A ' S ' E => 
6 l,a,s,e j g acce ptably valid and g L ' A ' S ' E c l,a,s,e j g nc ^ acceptably valid for all 
g e G. Let to be an acceptable model such that, for all closed conclusions e', to 
satisfies e ' L,A ' s ' E iff e' 7^ e. Since f\ geG g LA,S,E => e L ' A ' S ' E is acceptably valid, 
there is a g = Vxi . . .Vx n (d g — > e g ) e G such that m does not satisfy g L ' A > S ' E . By 
the translation, it follows that there is an ^4-closed substitution a such that e g a £ E, 
d g a L ' A ' S ' E holds in to, and e g a ^ e. Because, for all conditions a", d' L ' A ' S ' E can be 
written as Val((/?) for an appropriate formula ip, d g cr L ' A ' S ' E is acceptably valid since 
it holds in an acceptable model. It follows that g L ' A ' S ' E e L , A ,S,E j g acceptably 
valid, which contradicts the assumption. 

It remains to show that g L < A ' S - E c l,a,s,e j g acceptably valid for a grant 
g = Va;i . . . \/x n {d g — > e g ) iff e ^ E and, for some A-closed substitution a, the 
formula d a acceptably valid and e g a = e. The "if" direction is immediate 

from the translation. For the "only if" direction, suppose by way of contradiction 
that g L > A ' S ' E c l,a,s,e j g acceptably valid and either e € E or, for each A-closed 
substitution a, cither d g cr L ' A ' S ' E is not valid or e g a ^ e. Let to be the acceptable 
model defined above; that is, for all conclusions e', to satisfies e' L ' A ' S ' E iff e' ^ e. 
We can get a contradiction by showing that m satisfies g L < A - s > E . If e e E, then to 
satisfies g L ' A > s > E since either e g a € E (because e g a = e), or e g a holds in to (because 
e g a ^ e). Otherwise, by assumption, cither d g o~ L ' A ' S ' E is not acceptably valid or 
e g a =/= e, for each A-closed substitution a. Note that, because d g a L ' A ' S ' E (like 
every formula of the form d L,A ' S ' E for some condition d) is equivalent to a formula 
of the form Val(y), then if it is not acceptably valid, it is not true in any acceptable 
model and, in particular, not in to. It then easily follows from the translation that 
to satisfies g L ' A ' S ' E . This gives us the desired contradiction. □ 

Definition A. 7. Let (e,L,R,E) be a query, let AT be a terminating execution 
of Query2(e,L,i?,£;), and let A = A(e,L,R,E,X). Then 

G(e, L, R, E, X) = R U {h | for some principal p, (p, h) £ L and 

((A te L^ ' (£U{e}) )A(A se K3 L ^ ' (Bu{e}) ))^Perm(p,issue, Cft ) 
is acceptably valid}. 

□ 

Lemma A. 8. Suppose that (e,L,R,E) is a query, X is a terminating execution 
of Query2(e, L, R, E), and A = A(e, L, R, E, X) . Then /\ ieL i L ' A ' $ ' E A/\ geR g L ' A ^ E 
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e L,A,$,E acceptably valid iff there is a grant ft G G(e, L, R, E, X) such that 
h L.A.fi,E ^ e L,A,$,E lfj acceptab iy va M. 

Proof. For the "if" direction, suppose that ft is a grant in G(e, L, R, E, X) 
such that h L > A '*< E e L < A ' $ ' E is acceptably valid. If ft G R, then /\ teL t L ^ E A 
Ageii9 L ' AAE e L ' A > $ > E is acceptably valid. If ft e G{e,L,R,E,X) - R, then 
there is a principal p such that 

(la) (p, ft) G L, 

(lb) Perm(p, issue, ft) ^ £7, and 

(lc) /\ eeL £L,A,$,(Eu{e}) A ^ Rg L,A,$,(EL>{e}) ^ p erm ( P) isS ue, Cfc ) is acceptably 
valid. 

Let p = A eeL l L < Afi - E A A,. /,.'/" 1 ' '' • It follows from (la) that p (p, fc) L,i4,0,ls 
is acceptably valid. It follows from (la), (lb), and the translation that tp => 
(Perm(p, issue, Ch) h L,A ^' E ) is acceptably valid. It follows from Lemma A. 4 
and (lc) that ip => Perm(p, issue, Ch) is acceptably valid, so ip =4> fi L > A $> E j s ac- 
ceptably valid. By assumption h L ' A '®> E e L,A,<b,E j g acceptably valid, so ip => 
6 l,a,$,e ig acce pt a bly valid. 

For the "only if" direction, suppose that there is no grant g G G(e, L, R, E, X) 
such that g L > A >®' E ^> e L,Afi,E j g acceptably valid. Let to be an acceptable model 
that does not satisfy e L ' j4 ' ' B and the formulas in {Perm(p, issue, h) L,A ^' E \ 
(p, h) G L, Perm(p, issue, ft) ^ E, and ft ^ G(e, L, R, E, X)}. Because to does not 
satisfy e L ' A ' $ ' E , it suffices to show that m satisfies f\ eeL £ L ' A ' $ ' E A f\ geR g L ' A3 ' E ■ 
We do this by showing that (1) m satisfies (p, h) L ' A ^' E for every license (p, ft) 
such that ft ^ G(e,L,R,E,X), and (2) m satisfies g L ' A >' > ' E for every grant 5 G 
G(e,L,R,E,X). 

For part (1), observe that if Perm(p, issue, ft) e £ or (p, ft) ^ i, then 
(p,h) L ' A ' ll> ' E = true, so (p,h) L < A '' l ' E holds in to. If Perm(p, issue, ft) ^ E and 
(p, ft) G L, then (p, h) L ' A '' > ' E = Perm(p, issue, Ch) => h L ' A '^' E and, by construc- 
tion, to does not satisfy Per m(p, issue, Ch); so (p,h) L ' A $- E is again true in to. 

For part (2), let g = \/x\ . . . \/x n (d g — > e s ) G G(e, L, R, E, X), and recall that 
gL,Afi,E - l8 ^Yiq conjunction of formulas of the form 

( /\ -Val( e L < A < > B & (e^)^ ^) A (d s <7) L ^ > B ) =► (e g a) L ' A >®> E , 

eEE 

where a is an A-closcd substitution. Clearly, to satisfies g L ' A $^ E iff, for ev- 
ery A-closed substitution cr, to satisfies ((/\ e , eE ^\/a\(e' L > A <tl E ^ (e g a) L ' A ' <tl ' E ) A 
{d g o) L > A $> E ) (e 9 a) L ' A ' '' E . It is easy to sec that the latter statement holds if, 
for all ^4-closed substitutions a, either e g a G E, (d g a) L ' A $' E is not true in m, 
or (e g <j) L ' A, ®' E is true in to. We claim that this is indeed the case. To prove 
the claim, suppose by way of contradiction that e g a E, (d g a) L ' A ^' E is true in 
to, and (e g a) L ' A '^' E is not true in m. Since (e g a) L ' A ^' E is not true in to, either 
e g a = e or e g a G {Perm(p, issue, ft) | (p, ft) G L, Perm(p, issue, ft) ^ £7, and ft ^ 
G{e,L,R,E,X)}. 

If e g cr = e, then we claim that g L - A $> E =>. e L,A,o,E j g acceptably valid. To see 
this note that g L > A $> E =► (/\ e , £E ^Val^'^' ^ (e ff )CT L < A > > B ) A (d g( r) L ' A ' ' B 
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(e g o-) L ' A ' $ ' E ) is acceptably valid. Since e g a <£ E, the formula /\ e , eE -\Ja\{e' L ^ A ^^ E ^> 
(e g a) L ^' E ) = true; so, g L . A *. E ((d g a) L ' A ^ E {e g a) L ^' E ) is accept- 
ably valid. Since {d g <j) L ' A ^' E is true in m by assumption, and, as we have ob- 
served, every formula of the form d L ' A,<tl ' E is equivalent to Va\(ip) for some for- 
mula <p, {d g o-) L > A $> E is acceptably valid and, as a result, g L > A $> E {e g a) L > A < $ ' E 
is acceptably valid. By assumption, e g a = e, so g L ' A $> E e L > A $i E j s accept- 
ably valid. Since g G G(e,L,R,E,X) and, by assumption, none of the grants in 
G(e, L, R, E, X) imply e L > A $> E i we have a contradiction. 

Finally, suppose that e g a ^ e and e g a = Perm(p, issue, h), where (p,h) G 
L, Per m(p, issue, h) £ E, and h G(e, L, R, E, X) . We now prove that 
g L,A,$,(Eu{e}) ^ Perm(p, issue, C/l ) is acceptably valid, so h G G{e,L,R,E,X), 
which contradicts the assumptions. We begin by noting that g L > A -$>(. Eu { e }) 
((Ae'£Su{e}^ Val (e /L ' A ' ' (BU{e}) «• (e g a) L ^ Eu ^) A (d g a) L ^ Eu ^) 
(e g a) L,A ^' (Eu ^' ) ) is acceptably valid. By assumption, e g a E U {e}, so 

g L,A,$,{EU{e}) ^ ^ dg ^L,AA(EU{e}) ^ ( )L,A,0,(ISU{e})) ig accep tably valid. 

Since e g cr = Perm(p, issue, /i), e g <7 L ' A ' '(' EU '( e }) = Perm(p, issue, c ft ), so 
ff z,,A,0,(Bu{e}) ^ (( ds(T )L^,0,(£u{e}) ^ p er m(p, issue, c h )) is acceptably valid. 
It remains to be shown that (d g a) L ' A ^'^ Eu ^ e ^ is acceptably valid. Because the 
translation of a condition does not depend on the set of conclusions, it suffices to 
show that d g cr L > A $' E is acceptably valid. But, as we observed above, this follows 
immediately from the assumption that d g a L ' A ^ ,E is true in m. 

□ 

Theorem A. 9. Suppose that (e,L,R,E) is a query, X is a terminating execu- 
tion of Query 2(e, L, R, E), and A = A(e, L, R, E, X). Then for all calls of the 
form Holds 2(d, L, S), Auth2(e' , L, R, E'), or Query 2(e' ,L,R,E') made during 
execution X, including the initial call, 

(a) Holds2(d, L, S) returns true iff d L ' A ' S,E is acceptably valid, where E' is an 
(arbitrary) set of closed conclusions; 

(b) Auth2(e! ', L, R, E') returns the set D of closed conditions, where D = {d \ 
e' g" E' and, for some grant \/x\ . . . \fx n (d g — > e g ) G G(e', L, R, E', X) and closed 
substitution a, d g a — d and e g a — e'}; and 

(c) Query 2(e',L,R,E') returns true iff /\ eeL e L ' Afi < E ' A /\ geR t L ' A3 ' E ' => 
e /L,Afi,E j S acce pt a t,iy va \id. 

Proof. We prove part (a) by induction on #(S*(e,L,R,E,X) — S), with a 
subinduction on the structure of d. Suppose that #(<S*(e, L, R, E, X) — S) = 0. If 
d = true, then Holds2(d, L, S) = true and d L ' A ' S ' E = true. Suppose that d is 
of the form Said(p, e'). Then, by Lemma A. 2, d G S*(e,L,R,E). By assumption, 
#{S*{e,L,R,E) - S) = 0, so d G S. It follows that Holds2(d, L, S) = false and 
d L ' A ' S > E = false. Finally, if d is a conjunction, then the result is immediate from 
the induction hypothesis. For the induction step, the argument used for the base 
case applies if d = true or if d is a conjunction of conditions. Suppose that d has 
the form Said(p, e 1 ). If d G S, then Holds2(d, L, S) = false and d L ' A ' S > E ' = false. 
If d £ S then, by the description of Holds2, Holds2(rf, L, S) = true iff there 
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is a grant g — Vxi . . .\/x n (d g —> e g ) G R p and an A-closed substitution a such 
that Holds2(d g cr, L, S U {d}) = true and e g a — e'. By the induction hypothesis, 
Uolds2(d g a, L, S U {d}) = true iff d g a L ^ Su ^' E ' is acceptably valid. By the 
translation, the latter statement holds iff d g cr L ' A ^ Su ^ d ^' <tl is acceptably valid. So, 
by Lemma A.6, Holds2(d, L, S) = true iff (A geRp g L ' MSu{d}) ^) => e L ^ Su ^' 9 
is acceptably valid. It is immediate from the translation that the latter statement 
holds iff d L ' A ' S ' E is acceptably valid. 

We prove parts (b) and (c) by simultaneous induction on #(£ *(e, L, R) — E'). If 
#(£*(e,L,R) - E') = 0, then e' € £*{e,L,R) by Lemma A.2, so e! e E' . Because 
e' e Auth2(e', £,#,£') = 0, so part (b) holds. For part (c), Query2 begins 
by calling Auth2(e', L, R, E'), which returns the empty set, and then Query2 
returns false. Since e' e E', it follows from Lemma A. 3 that /\ teL i L ' A ^' E ' A 
A g eR9 L A E ^ e' L,A,< "' E is not acceptably valid, so the invariant holds. 

Now consider the inductive step. For part (b), suppose that Auth2(e', L, R, E') 
is called during the execution of Query2(e, L, R, E). If e' e E' , then part (b) holds 
by the same argument as in the base case. If e' £ E' , then Auth2 returns a set D 
of closed conditions such that d £ D iff there is a grant \/x\ . . . Vx n (dh ej,) £ 5i 
and a closed substitution a such that dh<J — d and e^cr = e, where 

Sl = i? U {ft. | for some principal p, (p, h) € L and, during execution A, 
Query2(Perm(p, issue, ft), L, i?, U {e'})) returns true}. 

It clearly suffices to show that Sl = G(e' ,L,R 7 E' ,X). By Lemma A.2, e' € 
£*(e, L, R) and, by assumption, e ^ So it follows from the induction hypothesis 
that 

Sl = R U {ft | for some principal p, (p, h) £ L and 

^ Li L,A,$,(E'U{e'}) A ^ 6flfl i,A,0,(B'U{e'}) ^ Pe rm(p, issue, Cfc) IS 

acceptably valid}, 

which is G(e',L,R,E',X). 

For part (c) , observe that if e' G _E' then we can use the same reasoning as in the 
base case to show that the invariant holds. If e' E' then, during execution X, 
Query2(e', L, R, E') returns true iff there is a closed condition d in the output of 
Auth2(e', L, R, E') such that Query2 calls Holds2(<i, L, 0), which returns true. 
By part (b), Auth2(e', L, R, E') returns a set of conditions that includes d iff there 
is a grant g — \/x\ . . . Vx„(d g — » e g ) e G(e', L, R, E' , X) and a closed substitution a 
such that d g a = d and e g a = e'. Moreover, since Holds2(ci, L, 0) is called during 
execution X of Query2(e, L, R, E), a is A-closed. By part (a), Holds2(d, L, 0) = 
true iff d L ' A $' E ' is acceptably valid. So Query2(e', L, R, E') returns true iff 
there is a grant g — \/x\ . . . Vx n (d g — ► e g ) E G(e' , L, R, E' , X) and an A-closed 
substitution a such that d L ' A $> E is acceptably valid and e g a — e' . By assumption, 
e' ^ S'; so, by Lemma A.6, Query2(e', L, R, E 1 ) = true iff g L > A ^ E ' e 'i,A,0,E' 
is acceptably valid for some g <G G(e' , L, R, E' , X). It follows from Lemma A. 8 
that the latter statement holds iff A eeL £ L ' AAE ' A A,,,. ;,.</ ' > ; ' ' e' L ^' ' B ' is 
acceptably valid. □ 

Theorem 5.1. Determining whether some execution of Query 2(e, L, R, E) re- 
turns true is undecidable for the set of queries (e, L, R, E) such that at most one 
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grant in RU L is not restrained. 

Proof. We reduce the Post correspondence problem (PCP) [Post 1946] to the 
problem of determining whether some execution of Query2(e, L, R, 0) returns true 
for a query (e, L, i?, 0), where all but one grant in R U L is restrained. Let S be an 
alphabet; let Si, . . . , s n and t\, . . . , t n be strings over S; and, for all strings s and 
s' , let s ■ s' be the concatenation of s and s'. We want to determine if there are 
integers h, . . . , i k S {1, . . . , n} such that s h ■ . . . ■ s ik = i ix • . . . • t ik . 

To encode the problem as a query, assume that the language includes the prim- 
itive principal p a for each symbol a e £, the primitive principal p, and the prop- 
erty Pr. For every string s over S, define a function G s from grants to grants 
by induction on the length of s. If s has length one (s <G X), then G s (g) = 
Perm(p s , issue, g). If s = its', then G s = G a oG S '. For all grants gi and g 2 , define 
G(<7i, 32) to be the grant Said(p, Perm(p, issue, #1)) — > Perm(p, issue, 32) • 

We claim that there arc integers ii , . . . , ijt G {1, . . . , n} such that Sj x • . . . • Sj fc = 
• . . . • t ik iff an execution of Query2(Pr(p), L, R, 0) returns true, where 

L = {(p,Penn(p,iBBue,G(G a4 (Pr( P )),G tl (Pr(p)))))|i = l,...,n}U 
{(p, VxiVa; 2 (Said(p, Perm(p, issue, G(xi, £2))) — » 
Perm(p, issue, G(G Si (xi), G u {x 2 ))))) \ i = l,...,n} 

and i? = {Va;(Said(p, Perm(p, issue, G(x, x))) — » Pr(p))}. 

Recall that an execution of Query2(e, L, i?, 0) returns true iff an execu- 
tion of Auth2(e, L, R, 0) returns a set D of conditions such that an exe- 
cution of Holds2(rf, L, 0) returns true for some condition al E D. It is 
easy to see that every execution of Auth2(e, L, R, 0) returns the set D = 
{Said(p, Perm(p, issue, G(g, g))) | g is a closed grant}. Moreover, if d is of the 
form Said(p, Perm(p, issue, G{g, g))), where g is a closed grant, then it is not 
hard to see that an execution of Holds2(c?, L, 0) returns true iff there are in- 
tegers h,...,i k € {1, ...,n} such that 5 = G Sii (G Si2 (. . . G Sifc (Pr(p)) . . .)) and 
g = G tii (G tia (. . . Gti (Pr(p)) ■■■))■ The latter statements holds iff there are inte- 
gers h, . . . ,i k S {1,. . . ,n} such that s h ■ . . . ■ s ik = t h ■ . . . ■ t ik . □ 

Theorem 5.2. The problem of deciding if some execution of Query 2(e, L, R, E) 
returns true for (e, L, R, E) e Cq n C n CJ is N P -hard for C, £ e {£1, 

PROOF. For the NP hardness results, it suffices to show that the problem of 
deciding whether Query2(e, L, R, E) = true is NP-hard if (a) (e, L, R, E) £ £ a n 
C\ n £§, (b) (e, L, i?, E) e C n £1 n £§, and (c) (e, L, i?, e £ n £1 n £§. 

For part (a), we show that we can reduce the Hamiltonian path problem to the 
problem of determining whether Query2(e, L, R, E) = true, for some (e, L, R, E) <E 
£0 n£2 n£§. Given a graph G(V, E), where V = {v\, . . . , v n }, we take v\, . . . , v n to 
be primitive principles. We also assume that the language has primitive properties 
Node, Edge, and Path. For each node v E V, let g v be the grant Node(w) (recall 
that this is an abbreviation for true — > Node(u)). For each edge e = (v,v') G E, 
let g(v.v') be the grant Edge({w,w'}) (recall that {v,v'} is an abbreviation for 
{v} U {«'}). Finally, let g be the grant Vxi . . .\/x n (d\ A c? 2 — > Path({xi, . . . ,x„})), 
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where 

d\ — Ai<i< n Said(^l/ice, Node(a;,)) and 

d 2 = h 1 < i < n _ 1 Said(Alice,Edge({x i ,Xi +1 })). 

Let L = {(Alice, g v ) \ v e V} U {(Alice, g e ) e € B} and let R = {g}. It is 
not hard to show that Query2(Path({ui, . . . , v n }), L, R, 0) = true iff G has a 
Hamiltonian path. To see this, observe that Auth2(Path({i>i, . ..,v n }), L, R, 0) 
returns {g?i(7 A d^a \ cr(xi) = v w (i),i = l,...,n, where 7r is some permutation 
of {1, . . . , n}}. The condition d^o holds iff there is a path X\U, . . . , x n a. Thus, 
Query2(Path({«i, . . . , v n }), L, R, 0) = true iff there is a Hamiltonian path in G. 
Moreover, it is clear that (Path({ui, . . . , v n }), L, R, 0) e Co H £2 an d it is not hard 
to see that (Path({ui, . . . , v n }), L, R, 0) e £§, because the antecedent of every 
issued grant is true. 

For part (b), we show that we can reduce the 3-satisfiability problem to the 
problem of determining whether Query2(e, L, R, E) = true, for (e,L,R,E) <E 
£0 H L\ n C\. Let / — c\ A . . . A c n be a formula in propositional logic, where each 
Cj is a clause with three disjuncts. Let qi,...,q m be the primitive propositions 
mentioned in /. We want to determine if / is satisfiable. 

To encode the problem as an XrML query, suppose that Pi, ■ ■ ■ ,p n ,Pt,Pf 
are distinct primitive principals, Pr is a property, and x\,...,x m are distinct 
variables of sort Principal. Let go be a fixed closed grant. Given prin- 
cipals ti,...,t m , we define grants g\(t\), ■ ■ ■ ,g m (ti, . . . ,t m ) inductively as fol- 
lows: gi(t\) is the grant true — > Perm(ti, issue, g ) and, for i = 2,...,m, 
gi is the grant true — ► Perm(tj, issue, gt-i(t\, ... Let e(ti,...,t m ) 

be the conclusion Perm(t m , issue, g m -i(ti, ■■, t m -i)). For ease of exposition, 
let e' be the conclusion e(x±, . . . ,x m ). Let L = {(p%, Vx\ . . . Vx m (e'[xj/pt])) \ 
Qj is a disjunct of Ci} U {(pi,\/xi . . .\lx m (e'[xj/pf\)) \ -iqj is a disjunct of c^} and 
let R = {Vxi . . ■ Va; m ((/\ i=1 n Saidfj^, e')) — » Pr(p t )}. We claim that / is satisfi- 
able iff Query2(Pr(> t ),£,_k,0) = true. Note that (P(p t ), L, R, 0) e An£on4 
since none of the grants mention a variable of sort Resource, the U operator is not 
mentioned in the query, and the antecedent of every issued grant is true. 

To prove the claim, first note that Query2(Pr(p t ), L, R, 0) = true iff 
A»=i n Said(pi, e')a holds for some substitution a. It is not hard to see that 
if a exists, then / is satisfied by the truth assignment that sets qi = true if a 
sets Xi to p t , and sets qi to false otherwise. Similarly, if / is satisfied by a truth 
assignment A, then /\i=i « Saidfj^, e')er holds for the substitution cr that replaces 
x» by p t if A assigns Xj to true, and replaces Xi by pf otherwise. 

For part (c), we show that we can reduce the 3-satisfiability problem to the 
problem of determining whether Query2(e, L, R, E) = true, for (e, L, R, E) E 
C n C\ n As in part (b), let / be the 3-CNF formula a A . . . A c„, whose 
primitive propositions are q±, . . . , q m . Define the condition e(t\, . . . , t m ) as in part 
(b); again, take e' to be an abbreviation for e(x\, . . . ,x m ). Let p\,---,p' m be 
fresh principals, distinct from p\, . . . ,p n ,Pf,Pt- We claim that / is satisfied iff 
Query 2(e(p / 1 , . . . ,p' m ),L, R, 0) = true, where 
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L = {{p i ,Vx 1 . . .Va; m (Said(p i+ i,e / [a; J -/p t ]) -> e'[xj/p])) \ 
qj is a disjunct of Cj, p ^ pf, i = 1, . . . , n — 1} 
U{(pi,Vxi . . .Vx m (Said(p i+ i,e'[a; i /p / ]) -> e'fo/p])) | 

-^qj is a disjunct of Cj, p ^ p t ,i ~ 1, . . . , n — 1} 
U{(p«,Va;i . . .Vx m (e'[a; J /p])) | 

^ is a disjunct of c„ and p^ Pf, or -igj is a disjunct of c„ and p ^ p t } 
= {Said(pi,e(pi,...,p^)) e(p[, . . . ,p' m )}. 

If ii, . . . , t m are variable-free principals, let A(t\, . . . , t m ) be the set of all truth 
assignments to q\ , . . . , q m such that ^ is assigned true if t j = p t and qi is assigned 
false if ti = Pf, for i = 1, . . . , to. (If tj ^ {pt,p/}, then there are no constraints on 
gj.) Let Ai(t\, . . . , t m ) be the set of all truth assignments to gi, . . . , q m under which 
Cj A . . . A c„ is true. We show by induction onm-i that ^4,(ii, . . . , t m ) is nonempty 
iff Said(pj, e(ti, . . . , t m )) holds. If n — i = 0, then i = n. It is easy to see that 
. . . , t TO ) is nonempty iff, for some j = 1, . . . , m, either is a disjunct of c„ 
and 7^ pf, or ^ is a disjunct of c„ and tj ^ p t . For the inductive step, suppose 
that n — i > 0. Clearly, j4j(fi, . . . ,t m ) is nonempty iff there is an assignment in 
Ai_\(ti, . . . ,t m ) under which a is true. If there is at least one such assignment, 
then . . . , t' m ) is nonempty, where t' l7 . . . , t' m are variable-free principals such 

that, for some j € {1, . . . , to} and for all i j, t[ — ti and either qj is a disjunct 
of Ci, tj ^ pf, and t' rj = p t , or -*qj is a disjunct of q, tj ^ p t , and t'j = pf. It 
follows from the induction hypothesis that Said(pj_i, e(t[, . . . , t' m )) holds and it 
follows from L that Said(pi, e(ti, . . . , t m )) holds as well. If there is no assignment 
in . . . , t m ) under which q is true then, for every disjunct qj in Cj, t, = p/ 

and, for every disjunct -igij in q, = p t . It follows that Ai{t\, . . . ,t m ) = and 
Said(pi, e(t\, . . . , t m )) does not hold. 

The desired result now follows quickly. It is easy to see that Query2(e, L, R, 0) = 
true iff Said(pi, e(p' 1 , . . . ,p' m )) holds. Since none of p\, . . . ,p' m is pf or p t , by 
definition, A(p' l7 . . . ,p' m ) consists of all truth assignments. Thus, by the induction 
argument, it follows that Query2(e, L, R, 0) = true iff / = c\A. . .Ac„ is satisfiablc. 
Moreover, it is easy to see that (e, L, R, 0) e £ H C\ n because the query does 
not mention union and, for every variable x mentioned in a grant g that is in RUL, 
x is mentioned in the conclusion of g. □ 

We next prove Theorem 5.3, which considers the complexity of determining 
whether Query2(e, L, R, E) returns true for (e, L, R, E) e C a n A n £3 n 
In the statement of the theorem, we viewed n and h as constants. In our proof, we 
treat them as parameters, so as to bring out their role. 

To prove the theorem we need three preliminary lemmas. The first uses the fact 
that, for every condition d, there is a dag (directed acyclic graph) G<j such that 
Gd represents d and Gd is no larger than d. To make this precise, recall that \s\ 
is the length of string s when viewed as a string of symbols. For ease of exposi- 
tion, we assume that each pair of parenthesis and set braces has length 2, and each 
comma has length 1. For a graph G(V,E), let \G\ = #(V) + #{E). It is easy 
to see that a condition d can be represented as a tree T d , where \T d \ < \d\. For 
example, we can represent the condition d = Said({Alice, Bob}, Smart(Amy)) A 
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Fig. 7. A tree representing Said({Alice, Bob}, Smart(Amy)) A 

Said({Alice, Bob}, Pretty(Amy)) 




Fig. 8. A dag representing Said({Alice, Bob}, Smart(Amy)) A 

Said({Alice, Bob}, Pretty(Amy)) 

Said({Alice, Bob}, Pretty(Amy)) as the tree T d shown in Figure 7. Note that 
\d\ = 27 and, because the tree has 13 nodes and 12 edges, |T<j| = 25. By "merging" 
identical subtrees, we can create a dag representation of d that can be substantially 
smaller than \d\ . Continuing our example, the dag D d in Figure 8 represents the con- 
dition Said({Alice, Bob}, Smart(Amy)) A Said({Alice, Bob}, Pretty(Amy)) 
and \D d \ = 19. 

Lemma A. 10. Suppose that T is the call tree for an execution of Holds2(d, L, 0); 
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every license in L is restrained; the U operator is not mentioned in d or in a grant 
in L; and v is a node in T with label Holds2(d' , L, S) . If Gd is a dag representing 
d, then there exists a dag Gd' representing d' such that \Gd> \ < h\L\ + \Gd\, where 
h is the height of T . 

Proof. Because v is a node in T, there is a path vo, . . . , Vk in T such that vq 
is the root of T and v k = v. We prove by induction on k that there is a dag Gd' 
representing a" such that \Gd' \ < k\L\ + \Gd\- Since k < h by assumption, it easily 
follows that \G d '\ < h\L\ + \G d \. 

If k = 0, then v is the root of T, so d! = d. If k > 0, then v is the child of a 
node Vk-i- Let Holds2(d", L, S') be the label of Vk~i- The proof is by cases on 
the structure of d" . It follows from the description of Holds2 that d" is not true 
because d" is not a leaf in T. If d" is a conjunction, then d! is a conjunct of d" . So 
the space needed to represent d! is less than the space needed to represent d" , thus 
the result follows easily from the induction hypothesis. Finally, if d" has the form 
Said(p, e), then it follows from the description of Holds2 that there is a license 
(p, g) <E L, where g = Vxi . . .yx m (d g — > e g ), and a closed substitution a such that 
d! = d g u and e g a — e. A dag representing d g a (i.e., d') can be obtained by taking 
a dag representing d g and replacing every variable x by a dag representing a(x). 
Because every grant in L is restrained, g is restrained, so a assigns every variable 
of sort Resource mentioned in d g to a term in e. Since o~{x) is a subterm of e or a 
primitive principal, given a dag Gd g representing d g and a dag G e representing e, 
we can construct a dag G<j' representing d' such that \Gd> | < |Gd B | + |G e |. Since, for 
every condition d, there is a tree representation of d whose size is at most \d\, there 
is a dag Gd g representing d g such that \Gd \ < \d g \. Because d g is the antecedent 
of a grant in L, \d g \ < \L\ so it follows that \Gd g \ < L. Because e is a subterm of 
d" = Said(p, e), and by the induction hypothesis, there is a dag Gd" representing 
d" such that \Gd>> | < (k — 1)\L\ + \Gd\, there is surely a dag G e representing e such 
that |G e | < (k — l)\L\ + \Gd\- Putting this all together, it follows that there is a 
dag G d ' representing d! such that |G<j'| < k\L\ + \Gd\- □ 

Lemma A. 11. If Holds 2{d, L,$) is h-bounded, the U operator is not mentioned 
in d or in a grant in L, L is both restrained and n-restricted, and Gd is a dag 
representing d, then the output of Holds2(d, L, 0) can be determined in time 

0(max(|G d |, \L\\P Q \ n ){\L\\P Q n h -\\L\\P Q \ n + (h\L\ + \G d \)(h + \L\))). 

Proof. Let T be the call tree for an execution of Holds2(c?, L, 0). Our goal is 
to compute the truth value associated with the root of T, since that truth value is 
the output of Holds2(d, L, 0). 

It is clear that once we have written the call tree, computing the truth value of 
the root can be done in time linear in the number of nodes in the tree. The obvious 
way to construct the tree is to start at the root and, for each node v, construct the 
successors of v (if there are any) . In constructing the call tree, we assume that the 
condition d' and the elements of the set S in a node labeled Holds2(rf',i, S) are 
described using the dags of Lemma A. 10. Consider a node v in T that is labeled 
Holds2(c?', L, S) and is neither the root nor a leaf. Since v is not a leaf, d' ^ true. 
If d' is a conjunction, then a bound on the number of conjuncts (and hence on the 
successors of the node) is \L\ since d' is of the form d g a, where d g is the antecedent 
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of a grant g that is in L, and a is a closed substitution. It is easy to sec that d g , and 
hence d g a, has at most \L\ conjuncts, and these can be computed in time 0(|L|). 

Suppose that d' is of the form Said(p, e). If d! <G S, then v is a leaf. Since the 
height of T is at most h, S has at most h elements. It follows from Lemma A. 10 that 
each of these elements can be represented using a dag of size at most h\L\ + \G d \, so 
checking whether Said(p, e) € S can be done in time 0(h 2 \L\ + h\Gd\)- If d' ^ S, 
then each child of v has the form d g a, where g = Vxi . . .\fxi(d g — > e g ) is a grant 
in L and a is a closed substitution such that e g a = e. Since every grant in L is 
restrained and n-restricted, d g mentions at most n variables that arc not mentioned 
in e g and each of these variables is of sort Principal. Since d and the grants in L do 
not mention the U operator and #(Pn) = |Pn|, there are at most \P \ substitutions 
for each variable and thus |Pn|™ possible substitutions a. Finding a(x) for all of 
the variables x that are mentioned in e g takes time linear in the size of the dag 
representing e (since e g a = e). Clearly the dag representing e has size less than 
that representing d' = Said(p, e). By Lemma A. 10, the latter dag has size at 
most h\L\ + \Gd\- Since #(£■) < \L\, there are at most |L||P |" children of v and 
computing what they are takes time O(|£||P |™ + {h\L\ + \G d \)(h + \L\)). 

Similarly the root of T has at most max(|G<j|, |L||Po| n ) children since the root 
has zero children if d = true, less than \Gd\ children if d is a conjunction, and at 
most |L||P |™ children if d is a Said condition. The children of the root can be 
computed in time 0(|Gd|) if d is a conjunction and in time 0(|L||Po|™ + |Gd||L|) 
if d is a Said condition. This follows from the reasoning given for the case when 
the node is neither the root nor a leaf modified to account for the fact that d £ S, 
since 5 = 0, and there is a dag representation of d that has length \Gd\- 

To determine the number of non-leaf nodes of T, observe that, if the root 
of T has n children and each subtree of T has at most m non-leaf nodes, 
then T has at most 1 + nm non-leaf nodes. It follows that T has at most 
1 + 2max(|Gd|, |L||Po|™)(|L||Po|™) /l_2 non-leaf nodes, since a tree with outdegree 
at most c and height h has c h /(c — 1) < 2c h ~ 1 non-leaf nodes. Thus, it takes time 

0(max(|G d |, |L||P | n )(|i||i , o| n )' , - 2 (|i||i , o| n + (h\L\ + \G d \)(h+ \L\))) 

to compute the children of the max( | Gd \ , | L \ \ Pq \ " ) ( | L \ \ P 1 n ) h ~ 2 non-leaf nodes other 
than the root. Since this time dominates the time to compute the children of the 
root, it is also the time required to compute T. 

Once T is constructed, the truth value of its root can be computed in time linear 
in the number of nodes of T. Thus, Holds2(d, L, 0) can be computed in time 

0(max(|G d |, | J L||Po|")(|L||P r) ,l " 2 (|i||Por + (h\L\ + \G d \)(h + \L\))). 

□ 

Lemma A. 12. Suppose that (e, L, R, E) is a query in Co n L\ n C% D £| such 
that e £ E and D is the output of Auth2(e, L, R, E) . Then 

(a) #(£>) is at most #(P )"(#(P) + 

(b) if d is a closed condition in D, then there is a dag Gd representing d such that 
\G d \ < |P| + |L| + |e|; and 

(c) D can be computed in time 0(\L\\E U {e}| + |L| 2 log(|P| + 1) + 
|i| 2 (|L||P | n )' i+1 fe 2 ). 
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PROOF. Let X be an execution of Query2(e, L, R, E) and let G = 
G{e,L,R,E,X). 

For part (a), by Theorem A.9(b), if e ^ E, then 

D = {d | for some grant Vxi . . . Vx m (d g — > e s ) e G and closed substitution a, (1) 
c?g(T = d and e g cr = e}. 

Since every grant in G is cither in i? or L, #(G) < #(i?) + #(L). Moreover, because 
(e, L, i?, E) £ £ H £21 f° r every grant 5 = Mx\ . . . Vx m (d g — > e s ) G G, there are at 
most n variables mentioned in <i g that are not mentioned in e s , and each of these 
variables is of sort Principal. As in the proof of Lemma A. 11, it follows that there 
are at most #(Pn) n substitutions of variables in g to closed terms such that e g a = e 
because (e, L, R, E) £ C\. Part (a) follows immediately. 

For part (b), let d be a closed condition in D. By (1), d = d g a, where d g is the 
antecedent of a grant g £ G and a is a closed substitution. By the proof of part (a), 
a assigns every variable in d g to a term in e or to a principal in Pq . Given dags G e 
and Gd g representing e and d g , respectively, we can obtain a dag Gd representing 
d by replacing every variable in Gd g by either a subgraph of G e or by some p £ Pq. 
So there is a dag Gd representing d such that \Ga\ < |Gd | + |G e |. Recall that, for 
every string s, there is a dag G s representing s such that |G S | < \s\. So there is a 
dag Gd representing d such that \Gd\ < \d g \ + \e\. Since d g is the antecedent of a 
grant in G and every grant in G is a grant in R or L, \d g \ < \R\ + \L\, and we are 
done. 

For part (c), by (1), we can compute D by (i) checking whether e £ E; (ii) com- 
puting G; and (hi) for each grant g = Vxi . . . \/x m (d g — > e g ) £ G, computing D g = 
{d I for some closed substitution a 7 d g a = d and e g a = e}. (Observe that these 
are the same steps taken in Auth2; however, our approach computes G more effi- 
ciently) Step (i) takes time 0(j_E7|). We show below that G can be completed in time 
O(|L|' l |P r(2' l - 1 +|L| 2 |P |"(' l - 1 ))(|P |"+/ l 2 +/ l |L|)+|L| 2 log(|i?|+l)+|L|(|i?|+| e |)). 
For step (iii), essentially the same arguments as those used in Lemma A. 11 show 
that, given grant g £ G, D g can be computed in time 0(\e\ + \e g \ + \Po\ n \d g \). So, 
{D g I g £ G} can be computed in time O(|G|(|e| + |P |")). Since \G\ < + the 
total time needed to compute D is 0(\E\ + |i| /l |P |"(2' 1 - 1 + |L| 2 |P | n (' l - 1 ))(|Po|" + 
e + h\L\) + |i| 2 \og(\R\ + 1) + \L\(\E\ + \e\) + \R\(\e\ + \P \ n )). 

For step (ii), let A = A(e, L, R, E, X). For all integers k > 0, de- 
fine the set G' k of grants inductively as follows: G' = R and, for i > 0, 
G[ = R U {g I for some principal p, (p, g) £ Land /\ g , eG , ^ g 'L,A,t,(Eu{e}) ^ 

Perm(p, issue, c g ) is acceptably valid}. We claim that = G. 

To show that G^ L ^ C G, we prove by induction that G- C G for all i > 0. 
The base case is immediate because G' Q — R. For the inductive step, it suffices 
to show that, if there is a license (p, g) £ L and a subset G' C G such that 
A s 'gG' 5 |/I '' A ^ Perm(p, issue, c s ) is acceptably valid, then 5 e G. Let 

V = ((A£ G L^ L ' A,0 ' (£U{e}) ) A (A g eR9 L ' A '^ (EU{e}) ))- Because (p, fl ) e L, it is imme- 
diate from the definition of G that g £ G if (p => Perm(p, issue, c g ) is acceptably 
valid. Because G' C G, every grant g' £ G' is either in R or there is a principal p' 
such that (p',g r ) £ L and => Perm(p', issue, c g /) is acceptably valid. It follows 
that if A S '£G' 5 /Z " A ' ' (BU{e}) is acceptably valid. Since A g , eG , g /L ^' (Eu{e}) ^ 
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Perm(p, issue, c g ) is acceptably valid, tp Perm(p, issue, c g ) is acceptably valid. 
To show that G C G'^, L y we first observe that, for all i, G\ C G' i+1 and, if 

G'i = G'i+n thcn G 'i = G 'i+j for a11 3 > °- Sincc G' = R &nd G[ <Z R\J {g \ 
for some principal p, (p,g) G L}, it follows that = G'^ L ^ +V To show 

that G C G'^ L y it suffices to show that for all licenses (p, g) € £ such that 
ip => Perm(p, issue, c g ) is acceptably valid, g <G G'#/ L y Suppose by way of con- 
tradiction that there is a license (p,g) <G L such that p =^> Permfjj, issue, c g ) 
is acceptably valid and g & G' #(L) . Let = A g ' eG ' ^-^-(^W). Since 

G '#(L) = G #(i)+i' the S rant 9 & G '#(L)+i so ' b y the definition of G' #(i)+1 , 
the formula tp' =>■ Perm(p, issue, c g ) is not acceptably valid. It follows that 
there is an acceptable model to that satisfies <p' A ^Perm(p, issue, c g ) and is 
"most forbidding" in the sense that, for all principals p' and grants g' , cither 
m docs not satisfy Perm(p', issue, c g >) or the model m' that docs not satisfy 
Perm(p', issue, c g i) and is otherwise identical to to does not satisfy p' . Since 
m satisfies -iPerm(p, issue, c g ) and ip Perm(p, issue, c g ) is acceptably valid, 
m does not satisfy yj. Because R C G'^ L , and m satisfies m satisfies 

A g 'eii9' L A ^^ EU ^ e ^- there is a license (p',g') <E L such that m does not satisfy 
(p/ )5 /)L,A,0,(£u{e})_ if Perm(p', issue, 5 ') e £U{e}, then (j/, g ')L,AA(Eu{e}) = 
true, so to satisfies (p\ g ')L,A,$,(Eu{e}) _ Thug ^ p erm (p/ issue) g ') ^ EU {e}. 
But then ( p ' 7 g')L,A,V,(Eu{e}) = p er m(f>', issue, cy) => g 'L,A,%,{Eu{e}) _ Since m 
does not satisfy this formula, m satisfies Perm(p', issue, cy). By the construction 
of m, the model to' that does not satisfy Perm(p', issue, c g /) and is otherwise 
identical to to does not satisfy ip'. So there is a grant g" — Vxi . . .\lx n {d g ii — > 
e s ") € G #(l) such that m' does not satisfy <7" I, > j4 > c '>(- EU { e }). Because to satisfies 
giiL,A,$,(Eu{e}) an( j two models to and to' differ only in their interpretation of 
Perm(p', issue, c g '), it follows from the translation of g" that there is a substitu- 
tion cr such that e g "<r = Perm(p', issue, g'), e g »a i?U{e}, and d s ,//cr L ' A ' '( £;u { e ^ 
is valid. So gr" L > yl > >(' EU { e }) Perm(p', issue, c g /) is acceptably valid. Since 
.9" e G '#(L)' ^ Perm(p', issue, Cg') is acceptably valid, g' e G #(n + i- Be- 
cause G'^ L j +1 = G'_g, L y the grant g' € g #(l) anc ^ since to satisfies </?', to satisfies 
^L,A,0,(£u{e})^ go m satisfies (p/ }fl /)£,A,0,(Bu{e}) ) which contra dicts the assump- 
tions. 

We next consider the complexity of computing G = G'^, L y Let L' = {(p, g) e L | 
Perm(p, issue, g) ^ EU {e}}. Clearly, we can compute £' in time c |L||_E U {e}| 
for some constant c . For all k > 1, let L' k = {(p,g) € L' \ g £ G' k } and let 
G' k ' = G' k — G' k _ 1 . We plan to compute G' k inductively, It will be useful in the 
induction to represent the elements of G' k in a splay tree. (Recall that a splay tree 
is a form of binary search tree such that k insertions and searches can be done in 
a tree with at most n nodes in time O(Hogn) [Sleator and Tarjan 1983].) If G' k is 
represented as a splay tree, then we can compute L' k in time 0(\L\ log + \R\)) 
(sincc G' k C LUR). 

For < k < #(L), 

G'k+i = id I f° r some principal p, (p, g) G L' k and 

Ao'eG" g /L ' A ' '( BLJ { e » => Perm(p, issue, c g ) is acceptably valid}. 

" k 

ACM Journal Name, Vol. V, No. N, 20YY. 



A Formal Foundation for XrML • 41 



By Lemma A. 6, 

G 'k+i = u (P, 9 )eL' fc U 9 , eG »{ ff | g > L > A MEu{e}) ^ p er m(p, issue, c g ) is acceptably valid}. 

Moreover, it follows from Lemma A. 6 that, for (p,g) g L' , g' L > A $>(. EU { e }) 
Perm(p, issue, c g ) is acceptably valid iff the formula d g >a is valid for some A-closed 
substitution a such that e g io = Perm(p, issue, c g ), where g' = Vrri . . .\/x n {d g i => 
e g i). Given (p, g) g L' with g ^ G' k and </ g G' fc ', we can clearly check 
in time Ci(|e g /| + |(p,ff)|) if there exists an A-closed substitution a such that 
e g iu = Perm(p, issue, g), where c\ is a constant independent of k. If so, as in 
part (a), there are at most #(Po)" distinct formulas of the form d g io (since there 
are at most #(Pn) n possible substitutions for the free variables in d g >). It fol- 
lows from Theorem A.9(a) that d g -a L ' A ' $ ^ Eu ^ is valid iff Holds2 (d g /cr, L, 0) = 
true. We show shortly that there is an execution of Query2(e, L, R, E) that 
calls Holds2(d 9 /CT, L, 0), so Holds2(cZ ff /cr, L, 0) is /i-bounded. It follows from 
Lemma A. 11 that we can determine if Holds2(d 9 <cr, L, 0) = true in time 
c 2 max(|G ds/CT |, |L||P | n )(|£||i > o| n )' , - 2 (|i||i'o| n + (h\L\ + \G dg , a \){h + \L\)), where 
c 2 is a constant independent of k and Gd g ,a is a dag representing d g >a. As in the 
proof of part (b), we can obtain G4 ia from a dag , representing d g i by replacing 
every variable with a principal in Pq or a resource mentioned in Perm(p, issue, g). 
So there is a dag Gd , CT representing d g io such that |G<j ((T | < \d g >\ + \g\. Re- 
peating this process for each of the at most |Pn|™ formulas d g /a, it follows that 
we can check if g' L , A $A E u{e}) _^ p e rm(p, issue, c g ) is acceptably valid in time 

C2 |Po| rl max(|d 3 H + l5Ui||Por)(|i||Po| n )^ 2 (|i||Por + ^|i| + M 9 n + l5l)(^+|i|))- 
Assuming we have already computed L' k and G' k ', we can repeat the process above 
for all g' g G' k ' and (p, 5) g L' k . It is not hard to show that we can compute G k+1 
in time 

Y. a >eG>l E(p, 9 )eL' fc c i(M + I (P> 9)\) + 

c 2 |Po| n max(|^| + \g\, |L||P | n )(|£||i , o| n ) fc - 2 (|£||i , o| n + (^1 + K'l + \g\)(h+\L\)) 

< 2 Cl \G'l\\L\ + c 2 \P a \ n (\L\\P n h - 2 (h + \L\)- 

E fl . 6G « £ (p , s ) ei (K'l + l.9l + |i||Por)(|i||Po|" + h\L\ + \d g ,\ + \g\) 

< 2 Cl \Gl\\L\ + c 2 \P a r(\L\\Po\ n ) h - 2 (h + |L|)2|G" fc '||L| 2 |Po|"(|L||P r + h\L\ + |G' fe '| + \L\) 

< 2 Cl \G'l\\L\ + 2c 2 \G' k ! \{\L\\P \-)\h + |L|)(|L||P | n + h\L\ + |G£| + \L\) 

< c,\Gl\{\L\\Po\ n ) h {h + |L|)(|L||PoP + h\L\ + |G' fe '| + \L\) 

for some constant C3. We can then build the splay tree for G' k+1 by inserting the 
grants in G' k into the splay tree for G' k ; this can be done in time 0(|G' fc '| log(|L| + 
|P|))- 

Since uj^G^' C L, the total time to compute G", . . . , G k (ignoring the time to 
compute the sets L' and L' k , and to build the splay trees for G' k ) is at most 

c 4 |ii 2 (iii|p r i )' i+i /i 2 

for some constant c 4 ; i.e., it is O(\L\ 2 (\L\\P \ n ) h+1 h 2 ). 

Now taking into account the complexity of computing L' and L' k and to build 
the splay trees, and using the observation that log(a + b) < log(a + 1) + log(b + 1), 
we get that the complexity for computing G is 

0(\L\\E U {e}| + |i| 2 log(|P| + 1) + |L| 2 (|L||P r) ft+1 /i 2 ). 

ACM Journal Name, Vol. V, No. N, 2 0YY. 



42 • J. Halpern and V. Weissman 



It remains to show that if g' = \/x\ . . .\/x n (d g > —* e g >) G G' k — G' k _ 1 , (p,g) G L' 
with g £ G' k , and e g >a = Perm(p, issue, g) and A-closed substitution a, then 
there is an execution X of Query2(e, L, R, E) that calls Holds2((i s /<7, L, 0). 
Because e ^ £7 by assumption, Query2(e, L, R, E) calls Auth2(e, L, R, E), 
which calls Query 2 (Perm (p, issue, g), L, R, E U {e}), which calls 
Auth2(Perm(p, issue, gR), L, R, E U {e}). Since (p, g) G L', Perm(p, issue, g) £ 
E U {e}. It follows that Auth2(Perm(p, issue, g), L, R, E U {e}) computes 
G(Perm(p, issue, g),L, R,EU{e}, X) and, if g' G G(Perm(p, issue, g), L, R,E(J 
{e},X), then Auth2(Perm(p, issue, g), L, R, E U {e}) returns a set D that 
includes d g >a. After Auth2(Perm(p, issue, g), L, i?, E U {e}) returns D, it is 
easy to see that some execution of Query2(Perm(p, issue, g), L, R, E U {e}) 
calls Holds2(<i ff /(7, L, 0). So, in short, it suffices to show that g' G 
G(Perm(p, issue, g), L, _R, E U {e},X). The proof is by induction on fc. If 
k = 0, then g' £ R C G(Perm(p, issue, <?), L, R,E U {e},X). If fc > then, 
by the induction hypothesis, G'j,^ C G(Perm(p, issue, 5), L, i?, _E U {e},X), 

«n A #L.A,0,.EU{eUPerm(p,issue,g)} a A »/L,A,0,_EU{eUPerm(p.issue.g)} . 

su / \ieL 1 M l\g'"eR » ^ 

As" G G' fe _ l3 " L - 4 ' ' jEu { eUPerm (f' :Lssue '9» is acceptably valid. Since 5 ' G G'^-G'^, 
there is a grant 5" G G' fe-1 and a principal p' such that (p',g') G L 
and g»L,A,$,Eu{e} _^ Perm(p', issue, g 1 ) is acceptably valid. Because 
g' G G' k and 5 G" G' k , g ^ g' and, thus, it follows from the translation 
that ff "£^0,£u{euPerm(p,issue, ff )} ^ Perm(p', issue, .9') is acceptably valid. 
Putting the pieces together, there is a principal p' such that (p',g') G L 

and /\ ^i,A.0,_EU{eUPerm(p,issue,g)} ^ yy ^///L,A,0,.EU{elJPerm(p,issue,g)} _^ 

Perm(p', issue, g') is acceptably valid, so g' G G(Perm(p, issue, g), L, R, E U 
{e},X). □ 



We are now ready to prove Theorem 5.3. 



Theorem 5.3. For fixed n and h, if (e,L,R,E) G C n £i n £ 2 n £3; 
determining whether Query2(e, L, R, E) returns true takes time 0(\L\\E\ + (\R\ + 
\L\){\L\»-\\L\ + \R\ + \e\f)). 



Proof. Let D be the output of Auth2(e, L, R, E). It is immediate from the 
description of Query2 that Query2(e, L, R, E) = true iff there is some condition 
d G D such that Holds2(rf, L, 0) = true. So the output of Query2(e, L, R, E) can 
be determined in time T+#(_D)T', where T is the time needed to compute D and T" 
is the time needed to determine the output of Holds2(rf, L, 0) for a condition d G D. 
By Lemma A. 12(c), Holds2(d, L, 0) for a condition d G D. By Lemma A. 12(c), 
T= ci(|L||^U{e}| + |L| 2 log(|i?| + l) + |L| 2 (|L||P r i )' l+1 /i 2 ) for some constant ci . If 
n and h are treated as constants, then T = ( | i| |^U{e} | + |i| 2 log(|i?| + l) + |i|' l+3 ) 
for some constant c[; i.e., T is 0(\L\ \E U {e}| + |L| 2 |i?| + |L|' l+3 ). 

By Lemma A.12(a), #(£>) < #(P ) n (#(R) + #(£)). By Lemma A.ll, T' is at 
most c 2 (|G d | + \L\\P \ n )(\L\\P \ n ) h - 2 (\L\\P \ n + (h\L\ + \G d \)(h + \L\)), for some 
constant c 2 . If n and h are treated as constants, then there is a constant c 2 such 
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that T" is at most 

c' 2 (\G d \ + \L\)\L\ h - 2 (\L\ + (\L\ + \G d \)\L\) 
= c' 2 \L\ h -i(\G d \ + \L\)(l + (\L\ + \G d \)) 
= c' 2 \L\ h -H\G d \ + \L\)(2(\G d \ + \L\)) 
< 2c> 2 \L\ h ^{\G d \ + \L\f. 

Since, by Lemma A. 12(b), \G d \ < |i?| + |i| + |e|, it follows that V < 2c' 2 \L\ h - 1 (2\L\ + 
\R\ + \e\f, i.e.,0(|L| fc - 1 (|£| + |i2| + |e|) 2 ). 

Since #(£)) < #(P )™(#(i?) + #(L)) < \P \ n (\R\ + \L\), a straightforward 
computation shows that T + #(£))T", the time needed to determine whether 
Query2(e, returns true, is 0(\L\\E\ + (\R\ + \L\)(\L\ h - 1 (\L\ + \R\ + 
|e|) 2 )). □ 

Theorem 7.2. Let (e,L,R,E) be a tuple in C r\Cif]C 2 r]Cl extended to include 
negated Said conditions and negated conclusions. The problem of deciding whether 

/\ e L > A > s ' E a /\ u IA<i: => ,'- ,s/ 

leL g£R 

is valid is NP-hard. This result holds even if e, all of the licenses in L, and all of 
the conclusions in E are in XrML, all but one of the grants in R is in XrML, and 
the one grant that is in in XrML~~ - XrML is of the form \lx\ . . . Va; n (^e). 

PROOF. The proof is by reduction of the 3-satisfiability problem. The reduction 
is identical to the reduction given in the proof for the case of £ H C,\ n C\ in Theo- 
rem 5.2, except that R = {ixi . . . Va; TO ((/\ i=1 n Said(pj, e')) — ► e'), ->e'}. To show 
that Query2(e, L, R, 0) = true iff / is valid, we observe that Query2(e, L, R, 0) = 
true iff L and R imply false, which occurs iff /\»=i n Said(p i; e')a holds for 
some substitution a. The rest of the argument proceeds as in the proof of Theo- 
rem 5.2. □ 
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